For the first time ever, Apple has been forced to shut down a ransomware attack targeting Mac users running OS X. The file-encrypting malware is embedded in version 2.90 of the BitTorrent client Transmission and demands a bitcoin payment of approximately $400. If you are using Transmission 2.90, you are advised to delete it immediately. Here are the steps you need to take.
Image: Daniel Dudek-Corrigan
Transmission issued a warning to Mac users over the weekend that its free BitTorrent client may have been infected with malware. The KeRanger attack is thought to be the first fully-functional instance of ransomware to specifically target Apple machines. Mac owners who wish to continue using Transmission should immediately upgrade to version 2.92, which will actively remove the malware.
Enterprise-level security solutions provider Palo Alto Networks was the first to spot the malware. According to the company’s blog, the attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. The installers were signed with a legitimate certificate issued by Apple which allowed the code to bypass Apple’s Gatekeeper protection.
“It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred,” Palo Alto explained.
When a user installs the infected apps, an embedded executable file is run on the system. After three days of lurking, the malware connects with command and control (C2) servers over the Tor anonymiser network and starts encrypting data on the system. Victims are then asked to pay one bitcoin to retrieve their inaccessible files.
Transmission Project has since removed the malicious installers from its website while Apple has revoked the certificate and updated XProtect antivirus signature to ensure infected users receive a warning.
Users who have directly downloaded Transmission installer on or before March 5 are advised to perform the following security checks:
- Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
- Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/
/Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”. - After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
For a technical breakdown of how the KeRanger attack works, head to the Palo Alto Networks website.
[Via Palo Alto Networks]
Comments
13 responses to “If You’ve Gotten Ransomware On Your Mac Lately, Here’s What You Need To Do”
BUT… BUT… MACS DONT GET VIRUSES!!!!!!!
man, it really sucks for the poor sods dealing with this crap. complete sympathy.
but the number of times i’ve hear the macs-are-better-coz-they-dont-get-viruses argument makes me sick. & i hope these affected users didnt buy their things coz some jerk in the store ran with that line.
anyway. I really hope the people who are unfortunate victims of this one up their anti-virus game as a result.
The reality is that while obviously there are viruses out there for Macs, they are very few and far between, and even amongst those, most are stopped by the OS if you are even vaguely up to date. I do contract work for pretty much all of the IT places in town, and while about 1/4 of the clients are Mac clients, and we have a few linux clients, I’ve not had a single virus problem on a Mac or Linux client machine in the last ten years, whereas I literally have lost count of the number of badly infected windows machines both for home users and businesses.
If you have a Mac, you need to be careful like anyone else, they are not immune, but the chance of being hit is orders of magnitude less.
I’m glad they found this quickly, and acted on it and got the word out, ransomware is an insidious arsehole of an invention.
always had the suspicion that the scarcity of viruses on macs & linux systems was simple maths.
more users on windows (in particular most businesses) = higher chance of finding a less than savvy user / machine with out of date protection = more arseholes targeting the OS.
in the end, users gotta take the necessary steps to protect themselves to the best of their ability.
alternative is that jerks stop being jerks. but thats unlikely.
It’s probably worth noting this isn’t the first ransomware to affect OSX, there are scattered reports that Cryptowall 2 (but not 3) was able to affect OSX machines a few years back, the FBI ransomware-but-not-really that tricked several people into handing over money, plus there was a full-fledged proof of concept released late last year that only took the guy a few days to write.
Scarcity due to low popularity is a significant factor, if not the biggest. There is actually more iOS malware than OSX malware around at the moment, including full-fledged iOS ransomware.
The maths is pretty simple mate. Macs have ~10% market share. If they were equally vulnerable to viruses 1 in 10 viruses would be aimed at Macs. But since the number is more like 1 in 1,000+ then Macs obviously do better.
An even 1 in 10 is being generous. Considering almost no Mac users have antivirus software they’d should be getting the majority of viruses. But that’s clearly not the case.
A lot of the Windows malware side of things is caused by people who don’t keep their systems up to date. Microsoft has a fairly solid track record when it comes to security (their openness, speed and frequency are all well above Apple, about on par with the better Linux distros), but it requires people actually update when the updates are available, not every 3-6 months when they get sick of the update popup nagging them.
Dad and Mum are almost in their 70s these days and a couple of years back, probably 2 or 3 now, I remember him getting sucked into that whole ‘this is Microsoft’ spiel by those con artists. They had his PC locked up within 15 minutes on the phone and telling him he had to send money to them to get it unlocked. The man was distraught. I had arrived mid phonecall, he was upset as hell, but thankfully, he had been backing up all his documents to an external harddrive like I had taught him (thank *god*, due to a dead hdd a year earlier, this had become habit).
So I jumped on the phone and ‘went through the process’ with this person, all the while reformatting his computer, Managed to reboot, use the windows disk to clean format the hdd and reinstall windows. half way through started getting abused by the wanker on the phone and managed to make my Dad feel better.
These bastards prey on the ICT uneducated, imho the best advice is to upload important information to either the cloud or an external source and just do this, to ensure you can automatically format if needs be. It skips so much hassle.
I used to get those calls. I act as if I am following their prompts, get to a point where they ask me what I can see on my screen, and this describe a whole pile of acts of bestiality and scat porn. I don’t get those calls any more.
Lollll last few times I pretended my number was for ADFA. Thats since stopped them lol
I described a C64 start screen once. Now days I just talk gibberish and put on an annoyed tone when they can’t understand me. For all Telemarketers.
I have a friend who was foolish enough to answer a call from the Telstra overdue account scammers at my house by stating my full name and address. Good thing they tried to collect on my mobile (Never had a Telstra Mobile). I have since drilled into him the importance of not giving out details until you know who you are talking to. He has unfortunately despite my coaching tried to pay out quite a few bills he did not owe. Luckily no Credit Card or Paypal so he was trying to pay them at the post office, and was informed of the scam there.
I’m a bit disappointed there isn’t any
“step one. Pick up mac.
Step two. Throw it out the window.
Step three. Buy a decent computer.”
Jokes =P
you act like its a joke but its actually a legit method 😉
I think I managed to avoid this on account of being too lazy to upgrade.