First ever OS X ransomware encrypts your data and asks for money

Ransomware 101Ransomware is a particularly nasty piece of malware: After your computer is infected, it encrypts your data and refuses to give you the key unless you pay its makers a sum of money. Save for any glaring mistakes in the malware’s implementation, paying up is usually the only feasible way to get your data back, especially if you don’t have a backup.

Now, according to security company the first functional ransomware that operates on Apple’s OS X has been discovered.

The malware was embedded with version 2.90 of the Transmission software, normally a legitimate BitTorrent app. It waits three days before encrypting certain types of data on an infected system, and then it asks for one bitcoin (around $405) in ransom.

The infected versions of the Transmission installer were detected on March 4, and anyone who downloaded Transmission 2.90 around that date may have infected their OS X machine with the KeRanger malware.

Soon after the infection was discovered, Transmission released a new version of its client, Transmission 2.92, which should be malware-free.

“Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the “OSX.KeRanger.A” ransomware (more information available here) is correctly removed from your computer,” says a message on the official Transmission website.

How did this happen?

As Transmission is a legitimate OS X app, and it requires an Apple-signed certificate to be installed, how could the infection happen in the first place?

According to Palo Alto Networks, two KeRanger-infected Transmission installers were signed with an Apple-issued certificate. It’s not clear how the malware-infested installers ended up on Transmission’s website — the website could have been hacked, for example, but there’s no proof at this point that this is what happened.

The certificate was later revoked by Apple, so trying to start an infected version of Transmission should result in a warning dialog, saying that the app will damage your computer or that it can’t be opened.

An Apple spokesperson refused to give any details, besides reiterating that the company revoked the digital certificate that enabled the malware to install on Mac computers.

Similar ransom-demanding malware was previously seen on Windows machines and other operating systems, but not on OS X. In February, hackers demanded millions of dollars in ransom to decrypt the data belonging to a Hollywood hospital, though in the end the hospital got out by paying $17,000.

Tips to get rid of the malware

Palo Alto Networks offers some tips for users who think their system might have been infected. First, in Finder, check for the existence of a “/Applications/Transmission.app/Contents/Resources/ General.rtf” or “/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf” file. If the file exists, your Transmission app is infected and you should delete it.

Users should also check, using Activity Monitor, whether there’s a process called “kernel_service” running. If it is, users should double check the process, select “Open Files and Ports” and check for a file name like “/Users/<username>/Library/kernel_service”. The “kernel_service” process should be terminated with Quit – Force Quit.

Those who find an infection on their computer should check their  ~/Library directory for files named “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service.” Those files should also be deleted.

via – http://mashable.com/2016/03/07/keranger-ransomware-os-x/#S.CcR9W3o8qI

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s