Over the weekend, Apple customers who were looking for the latest version of Transmission, a popular BitTorrent client, likely downloaded a new family of Ransomware that targets OS X installations instead.
The problem was discovered by Unit 42 researchers at Palo Alto Networks. They've named the Ransomware family KeRanger, and published a brief on the malware that goes into technical details.
"Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now," the Unit 42 post explains.
The problems with Transmission started on the morning of March 4. It isn't clear how the attack happened, but the result was a hijacked installation file that delivered KeRanger to the user's system. The malware was embedded within the DMG file itself. Moreover, because the installation file was signed with a valid code-signing certificate, it bypassed Apple's Gatekeeper protection.
Once installed, KeRanger will wait three days before contacting a C2 (Command & Control server) via the Tor network. The C2 calls use .onion links as well as public relay links.
Once contact is made, the Ransomware starts encrypting common file-types including documents, images, audio and video, source code, etc.
Researchers who have examined the malware state that it doesn't target Time Machine backups, but there is code present that would enable this function – it's just not active in the current release.
Moreover, that the malware first needs to contact a C2 before encrypting appears to be a design flaw. The point being, if the infected system isn't connected to the Internet, the malware doesn't appear to have the ability to start encrypting without making the initial contact. If contact is made, the system is encrypted and the ransom demanded is $400.00 USD.
KeRanger was signed by a valid certificate issued to Polisan Boya Sanayi ve Ticaret A.Ş., a holding company in Istanbul. It isn't clear if their certificate was stolen, but the certificate itself was revoked by Apple.
Apple also added the installers to the Gatekeeper blacklist, and updated XProtect signatures to include the entire Ransomware family.
The Transmission project removed the malicious installers on Saturday (March 5) and encouraged all users to update to the latest version (2.92). It's important to update to this version as it will detect and remove KeRanger. Those who do not will risk encryption on Monday morning at 11:00 am.
In somewhat related news, some criminals are selling compromised enterprise code-signing certificates that can be used with Apple software. The going rate for such certificates on one forum is currently $10,000 USD.