Is your Mac infected with Apple’s first-ever ransomware?

7 Mar 2016

It has finally happened, Apple customers have been targeted through ransomware for the first time ever, according to cybersecurity researchers.

Over the weekend, it emerged that Apple users had finally been welcomed into the internet fold, with ‘KeRanger’ ransomware signing off on the initiation. Palo Alto Networks discovered the malicious software, saying it was the first “fully functional ransomware” to ever attack Macs.

Delivered through the Transmission application, which users download to facilitate peer-to-peer file sharing through BitTorrent, the company detected the ransomware within hours of its initial posting. It got through Apple’s security protocols with a valid Mac app development certificate but, with both Palo Alto and Apple moving fast, the cert has now been revoked and it’s been blocked on Macs.

Apple has also updated XProtect signatures to cover the family, and the signature has been automatically updated on all Mac computers now. As of Saturday, Transmission Project has removed the malicious installers from its website.

A slow worker

For those unfortunate enough to have downloaded the dodgy app, it lies dormant on your machine for three days before it gets to work, encrypting selected files from your machine and demanding around $400 to free them up.

“Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine back-up files to prevent victims from recovering their back-up data,” reads Palo Alto’s blog on the topic.

The company says infected files were downloaded after 7pm on Friday, and before 2am Sunday morning.

It’s advice on how to protect yourself, were you one of those who downloaded it, are as follows:

  • Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and you should delete this version of Transmission.
  • Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/<username>/Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. Terminate it with “Quit -> Force Quit”.
  • After these steps, check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.

By now, Apple’s security measures will prompt you should you open a known infected version of Transmission. So, if it says bin it, bin it.

Apple image via Shutterstock

Gordon Hunt was a journalist with Silicon Republic

editorial@siliconrepublic.com