The Hacker News Logo
Subscribe to Newsletter

First Mac OS X Ransomware Targets Apple Users

First Mac OS X Ransomware Targets Apple Users
Mac users, even you are not left untouched!

The World's first fully functional Ransomware targeting OS X operating system has been landed on Macs.

Ransomware – one of the fastest-growing cyber threats – encrypts the important documents and files on infected machines and then asks victims to pay ransoms in digital currencies so they can regain access to their data.

Though Ransomware has been targeting smartphones and Windows computers for a while, Mac OS X users haven't really had to worry about this threat… until now!


As security researchers from Palo Alto Networks claims to have discovered the very first known instance of OS X Ransomware in the wild, called "KeRanger" attacking Apple's Macintosh computers, firm's Threat Intelligence Director Ryan Olson told Reuters.

The KeRanger ransomware, which appeared on Friday, comes bundled into the popular Mac app Transmission, a free and open-source BitTorrent client for Mac with Millions of active users.

Must Read: How Just Opening an MS Word Doc Can Hijack Every File On Your System.

Here's How KeRanger Works


First Mac OS X Ransomware Targets Apple Users
Once a victim installs the infected versions of the app, KeRanger malware embeds itself in the victim's machine and encrypts the hard drive – containing important documents, images and videos files, as well as email archives and databases – after three days.

The KeRanger malware then asks the victim to pay 1 Bitcoin (~ $410) as the ransom amount to allow him/her to decrypt the hard disk and regain access to their important files.

The malware imposes a 72-hour lockout window unless the payment is made.

Though it is still unclear how the hackers managed to compromise the app and upload the infected files, it is believed that the hackers managed to hack the Transmission website as the site was served via HTTP rather than HTTPS.

Also Read: CTB-Locker Ransomware Spreading Rapidly, Infects Thousands of Web Servers.

How to Protect yourself against KeRanger


The security researchers suggested users to check for the existence of the following files in their machines:

  • /Applications/Transmission.app/Contents/Resources/General.rtf
  • /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf

If any of the above-mentioned file exists, your Transmission app is likely infected with the new ransomware.

The malicious code also has a process name of "kernel_service", "kernel_pid", ".kernel_time" or ".kernel_complete," which can be killed, and stores its executable in the ~/Library directory. Delete these files if exist.

Upgrade to Version 2.91 of Transmission


Soon after, the Transmission developers released an updated version 2.92 of Transmission to ensure the ‘KeRanger’ malware files is actively removed.

So, if you had downloaded a vulnerable copy of Transmission from the web before the weekend, you must uninstall it now and upgrade to a clean 2.92 version of the software.

"Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file," Transmission posted this message in Red on its website.

Specifically, downloads of Transmission version 2.90 were infected with the nasty ransomware code that will encrypt your files after 3 days and demand a payment of $410 in Bitcoin to regain control.

However, it is worth noting that KeRanger has currently been detected only in the Transmission app for Mac. But, if the malware is widespread, it could affect other common Mac apps as well.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.