KeRanger ransomware arrives on the Mac, Transmission 2.90 application infected

Posted by:
Date: Monday, March 7th, 2016, 08:46
Category: News, security, Software


Ransomware has come to the Mac.

Over the weekend, researcher at Palo Alto Networks stated that ransomeware, which encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data, has been found to be targeting the Mac OS X platform in the form of the “KeRanger” malware. The malware first appeared on Friday and seems to be attacking Apple’s Mac computers.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corp’s (MSFT.O) Windows operating system.

Palo Alto Threat Intelligence Director Ryan Olson said the “KeRanger” malware, which appeared on Friday, was the first functioning ransomware attacking Apple’s Mac computers.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” said Palo Alto Intelligence Director Ryan Olson.

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.

When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware, the blog said.

An Apple representative said the company had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. The representative declined to provide other details.

Transmission, in turn, released an updated version of the software without the malware on Sunday. The new version also automatically removes the ransomware from infected Macs.

The website advised Transmission users to immediately install the new update, version 2.92, if they suspected they might be infected.

Palo Alto Networks stated that the KeRanger malware is programmed to stay quiet for three days after infecting a computer, then connect to the attacker’s server and start encrypting files so they cannot be accessed.

After encryption is completed, KeRanger demands a ransom of 1 bitcoin, or about $400.

Olson, the Palo Alto threat intelligence director, said that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission’s site.

Stay tuned for additional details as they become available.

Via Reuters, Palo Alto Networks and Transmission

Recent Posts