Welcome to the club OS X users: First Mac-targeting ransomware detected in the wild

Researchers warned that the first OS X ransomware was included in the BitTorrent Transmission client; it was signed by a valid Apple digital certificate.

Welcome to the club, OS X users, since you are now vulnerable to ransomware infections and popular cybercriminal extortion schemes. The Transmission BitTorrent client has the dubious honor of being chosen as the first target to deliver Mac ransomware.

On Saturday, OS X Transmission users who had downloaded version 2.90 took to the forum to report “OSX.KeRanger.A” malware. On Sunday, Palo Alto Network researchers Claud Xiao and Jin Chen revealed that on March 4 they had detected the “first fully functional ransomware seen on the OS X platform.” Attackers had infected two Transmission version 2.90 installers with KeRanger.

Palo Alto researchers reported the ransomware to Apple and to the Transmission Project on Friday. Apple revoked the digital certificate and updated its XProtect antivirus. Transmission pulled the malicious DMG files from its site.

Palo Alto explained:

The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system.

KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.

KeRanger ransom note for Transmission OS X Palo Alto Networks

The ransomware-tainted Transmission installers had an extra RTF file which appeared with a normal-looking RTF icon, but researchers warned the file was “actually a Mach-O format executable file packed with UPX 3.91.” KeRanger lurks on a user’s machine for three days, before the RTF connects to C2 servers, sends the Mac’s model name and UUID, and retrieves an encryption key.

KeRanger malware targeted much more than documents as the researchers said it looks to lock up 300 different extensions associated with images, audio, video, email, archives, database and certificate. The researchers believe KeRanger is still “under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.”

The fact that the cyber thugs abused an authentic Apple certificate was interesting to Insanely Great Mac’s Mike Flaminio. “It calls into question it seems Apple's process for issuing certificates to developers,” he wrote. “If malware can be issued a valid certificate, that would seem to basically break the secure system.”

Palo Alto Networks warned that users who “directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third-party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.”

Bottom line for OS X users from Transmission, immediately upgrade to 2.92 even if you have the uninfected 2.91 version. Running 2.92 will remove the ransomware.

Cybersecurity market research: Top 15 statistics for 2017