Update: Version 2.92 of Transmission has now been released. This claims to actively remove the ‘KeyRanger’ malware files from the infected Mac.
OS X users have today been hit with the first known case of Mac ‘ransomware’ malware, found in the Transmission BitTorrent client released last week. Infected versions of the app include ‘KeyRanger’ malware that will maliciously encrypt the user’s hard drive after three days of being installed. The malware then asks for payment to allow the user to decrypt the disk and access their data — the ‘ransom’.
As reported by Palo Alto Networks, Apple has already taken steps to curb the spread of the malware through its Gatekeeper security system. This means the infected version of Transmission will no longer install, but it does not help those who have already been affected. Transmission is urgently recommending people upgrade to the latest version of its software, 2.91.
Unlike ‘friendly’ system encryption services, it is becoming increasingly common on Windows for viruses and malware to maliciously encrypt user data. The aim is for the virus maker to raise money by holding the user data ransom until payment is provided, in exchange for the malware to decrypt the drive once again.
The KeyRanger malware currently circulating is the first known instance of ransomware targeted at OS X users. It is not recommended to actually pay the malware as it only encourages further malicious action and there is no guarantee the virus maker will actually do the decryption as promised.
Users worried about being impacted by the ransomware should look for the ‘kernel_service’ process in Activity Monitor. This process is named like a kernel system program as a disguise, but it is actually the KeyRanger malware. If you are impacted, the recommendation is to restore to an earlier backup of your system before you installed Transmission. This is the best way to ensure the virus has been completely removed from the system.
It’s worth noting that the malware has only been detected in the Transmission app to date. It is unknown if it is more widespread, affecting other common apps.
Palo Alto Networks suggests a few other methods to check for the presence of the malware. Their post also includes a lot more detail on the technical implementation of the virus, so check out their post for more information. The security researchers suggest checking for the existence of the file ‘/Applications/Transmission.app/Contents/Resources/General.rtf’ or ‘/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf’. If this file exists, the Transmission app is likely infected. You can also check for the existence of “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” files in the ~/Library directory. Delete the files if they exist.