The scourge of ransomware has finally come to OS X! Researchers at the security firm Palo Alto Networks have announced that version 2.90 of the Transmission bittorrent client for Mac OS X has been adulterated with a new ransomware variant they have named KeRanger. Users on the Transmission forum and a message on the front page of the Transmission website confirm this:

Notice on the homepage of the Transmission Site
Notice on the homepage of the Transmission Site

According to Palo Alto Networks, the malicious installer was generated on March 4, and once installed, will wait 3 days after infection before encrypting the victim's files. This means that the first victims won't notice they are affected until at least March 7. Once activated, the ransomware connects to a Command & Control server over the TOR network and will then begin to encrypt certain types of files. It will then demand a ransom of 1 bitcoin, or about $400 USD, to receive a decryptor.

Very little information is available at this point regarding how the Transmission installer was compromised. It is known, however, that the ransomware is signed with a valid Mac developer's certificate, which is now revoked by Apple. This certificate has a listed owner of POLISAN BOYA SANAYI VE TICARET ANONIM SIRKETI (Z7276PX673), which is not the certificate for the legitimate Transmission developer.

Apple has already released a signature update for their XProtect antimalware software, and due to the revokation of the abused certificate, OS X will refuse to execute malicious installers signed by it.

Wiz
Apple warning of malicious Transmission DMG File
Apple warning of malicious Transmission DMG File
Source: Palo Alto Networks

Palo Alto Networks has also posted instructions for users who believe they might be infected, towards the bottom of their announcement article. The developers of Transmission recommend that users install version 2.91, which will attempt to detect and remove the infection.

Unfortunately, at the time of this writing there are no antimalware scanners that are currently detecting either of the affected installers:

As this ransomware is further analyzed, we will be sure to post about it here.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

US cybersecurity experts plead guilty to BlackCat ransomware attacks

Romanian energy provider hit by Gentlemen ransomware attack

Romanian water authority hit by ransomware attack over weekend

University of Phoenix data breach impacts nearly 3.5 million individuals

Interpol-led action decrypts 6 ransomware strains, arrests hundreds