Malware + Recommended + Security News

Mac Users Hit by Rare Ransomware Attack, Spread via Transmission BitTorrent App

Posted on March 6th, 2016 by

 

KeRanger Mac Ransomware

Mac owners who use the open source Transmission BitTorrent client are being warned that a version of the installer was distributed via the app's official website, infected with a new family of ransomware.

It is believed that hackers managed to compromise the installer of Transmission version 2.90 on its download site on Friday, March 4, in order to spread ransomware that researchers at Palo Alto Research have dubbed "KeRanger."

The outcome is that if you were unfortunate enough to install Transmission 2.90 onto your Mac, your computer may now be the digital equivalent of ticking time bomb. Because KeRanger waits three days before awaking, encrypting your documents and data files, contacting its command-and-control servers, and demanding a one bitcoin (approximately $400) ransom be paid for your data's safe return.

According to the researchers, the KeRanger malware also attempts to encrypt Time Machine backup files, no doubt in an attempt to make it harder for victims to recover their precious data without paying the extortionists.

And don't imagine that OS X's built-in Gatekeeper protection would have saved you, as it appears that the poisoned KeRanger app was signed with a valid Mac app development certificate.

A message on the official Transmission website confirms the threat to users, and advises that they "immediately upgrade" to version 2.92:

Transmission warning

Everyone running 2.90 on OS X should immediately upgrade to 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the "OSX.KeRanger.A" ransomware (more information available here) is correctly removed from you computer.

Palo Alto's research team report that Apple has now revoked the digital certificates that the malware attack was abusing, and updated the rudimentary XProtect anti-virus protection built into the OS X operating system. Furthermore, the malicious downloads have now been removed from the Transmission website.

As MacRumors reports, the software is alerting users with a bright red warning when the app informs them that an update is available:

Transmission update warning

Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like "/Users//Library/kernel_service". If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit

Apple has since revoked the abused certificate and updated XProtect anti-virus signature, and Transmission Project has removed the malicious installers from its website. Intego's malware research team has also updated its VirusBarrier anti-virus definitions to detect the ransomware, identified as OSX/KeRanger.

Quite how the Transmission installer package managed to become infected is as yet a mystery. One natural theory is that the attackers may have been able to exploit a security vulnerability on the website to update the binary, having recompiled its open source code after incorporating the malware.

Reuters is reporting that this is the first time Mac users have been threatened by ransomware — which is a commonly encountered threat on Windows computers.

However, that's not quite telling the whole story. Ransomware has admittedly rarely reared its ugly head on the OS X platform, but security researchers have been warning that there is no technical reason why extortionists might not target users of Apple's operating system just as they have on Windows.

For instance, in 2014 researchers warned of Mac ransomware called "FileCoder," which they described as "unfinished." More recently, last November, researcher Rafael Salema Marques produced a functional proof of concept of ransomware that he called Mabouia.

Mabouia proof of concept ransomware

And two months earlier OS X security researcher Pedro Vilaça published the code of his own Mac ransomware as a warning of what was possible.

Could this be the beginning of more ransomware attacks for Mac users? It would be a brave man who would bet against it.

The fact is that ransomware has proven to be a successful way to extort money out of Windows users, and there is little doubt that online criminals will not be tempted to switch the threat to Mac users too — especially as there continue to be many Mac users who have fooled themselves into believing that they do not need to take basic security precautions, such as running Mac anti-virus software.

It doesn't matter if you are running Windows or OS X on your computer, the way to reduce the threat of ransomware blackmailing you for the safe return of your data is the same:

  • Make regular backups of your important data, and keep them separate from your computer (to prevent the malware from trying to meddle with your backups too)
  • Run up-to-date anti-virus software and keep your computer's operating system and applications patched against the latest vulnerabilities.
  • Always be suspicious of unsolicited links and attachments you are sent, and source your applications from reputable sources to reduce the chances that they have been tampered with.

Of course, the final piece of advice is to stay on your guard.

We know that criminals attempted to spread their OS X ransomware via a poisoned version of the Transmission app. What we don't know is whether any other apps have been similarly meddled with, and it would be foolhardy to assume that whoever is behind this particular attack won't try again, or won't continue to develop their malware.

Sadly it seems clear that ransomware has well and truly arrived for OS X.

Editor's Update, March 7: This post was originally published March 6, but we have updated it for clarity and conciseness.

How to tell if infected and remove the ransomware

Intego VirusBarrier with up-to-date malware definitions detects and eradicates the ransomware as OSX/KeRanger. Of course, you may also choose to manually remove KeRanger if your machine is infected.

To do so, check for this existing process within Activity Monitor: kernel_service. (The infected process kernel_service starts when the Transmission app v2.90 is opened.)

kernel_service process

If this service is running, you must manually remove the ransomware as it will reload even if you force quit the service. If kerne_service is running, double-click it in order to see more information about the process, and then select the "Open Files and Ports" pane.

In Open Files and Ports, check for the file name:

/Users/<username>/Library/kernel_service.

If that file exists, then you have found OSX/KeRanger's main process. Terminate the process using Quit > Force Quit.

Once you have force quit the process, use Spotlight to find out if any of the following files exist in the ~/Library directory:

  • .kernel_pid
  • .kernel_time
  • .kernel_complete
  • .kernel_service

If you see any of these files, delete them from your system.

We also recommend Mac users check for any infected Transmission apps. To do so, open Terminal and enter the following commands

ls /Applications/Transmission.app/Contents/Resources/General.rtf

ls /Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf

If the Terminal returns file permission details for one of these files, you should delete the application immediately.

Intego will continue to update this story as new information becomes available. Check back later for more details!

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Nigel Straightgrain

    The article advises users to keep their backups “separate from your computer (to prevent the malware from trying to meddle with your backups too)”. I presume that means any volume that is mounted on the desktop is vulnerable to this ransomware.
    But what about a drive installed in one of the Mac’s internal drive bays (for the Mac Pro 5.1) or connected via Thunderbolt (for the Mac Pro 6.1), but NOT mounted on the desktop? Can the malware affect them too?
    It seems to me that the only way such drives (or volumes) could be affected would be if the malware could force them to mount. The article doesn’t specify whether KeRanger has that capability.

    • Coyote

      ‘I presume that means any volume that is mounted on the desktop is vulnerable to this ransomware.’

      Correct. Backups should always be separate and if you have to have it mounted then you should look into extra permissions whether ACLs generally or immutable modes for all times except when you’re backing up (which if you can and are knowledgeable enough it should be automated, nightly being the least intrusive [but I won’t get into backup cycles]).

      You could also consider not having the ability to modify the backups as an unprivileged user (and obviously you should remain unprivileged for normal use) perhaps in addition to the above.

      More importantly: whether or not it has the ability to mount volumes would depend on its permissions (the process’s permission) and what users are allowed to mount which volume(s). But you should assume the worst so you can prepare for the worst. If you can also have remote backups then all the better (in addition, mind). And I’ll lastly say this: backups should be external. If it’s internal then what happens if there is a physical problem with destroys the drives ? That’s only one example (and things tend to break down all at once or shortly after each other, something I think most everyone has experienced at least once or twice). I would go so far as to argue that an internal ‘backup’ isn’t really a true backup.

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}