First Mac-targeting ransomware hits Transmission users, researchers say

Rogue copy of BitTorrent client results in KeRanger install, which demands 1 bitcoin.

Cyrus Farivar – Mar 6, 2016 3:15 pm | 162

A security research firm announced Sunday its discovery of what is believed to be the world’s first ransomware that specifically goes after OS X machines.

"This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Ryan Olson, of Palo Alto Networks, told Reuters.

In an interview Sunday afternoon, Olson told Ars that he expected more Mac ransomware to proliferate.

"It is a little bit surprising because ransomware has been so incredibly popular for Windows, and mobile platforms," he said. "It's now of the most popular criminal business models. The fact that it hasn't made it to Mac shows that it's had a great amount of success on the Windows side. But the fact that [the malware] was distributed through a legit application demonstrates that we will see this again."

The KeRanger malware, which imposes a 72-hour lockout window unless the victim pays 1 bitcoin ($410 as of this writing), appears to have been first discovered via a rogue version of Transmission, a popular BitTorrent client.

For some time now, ransomware has primarily targeted Windows machines—threatening total data destruction if the ransom isn't paid. Recently, even a Los Angeles hospital was infected, which resulted in the payment of a $17,000 ransom. In June 2015, the FBI said it had been contacted by 992 victims of CryptoWall, a similar ransomware scheme, who have sustained combined losses totaling over $18 million.

On Saturday evening, some Transmission users noticed the strange activity on a discussion board—users concluded that the 2.90 version of Transmission was infected with the ransomware. It appears that somehow the Transmission website may have been compromised as it was served via HTTP rather than the primary HTTPS Transmission website.

Soon after, Transmission posted this message on its website: "Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file."

In a technical analysis, Palo Alto Network’s Claud Xiao and Jin Chen wrote:

The KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to bypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.

Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat Prevention to stop KeRanger from impacting systems.

Apple did not immediately respond to Ars’ request for comment. Olson also said that the rogue version was only live on the Transmission website for 36 to 48 hours, and said that "we don't really know anything about that company" that was assigned that certificate.

Palo Alto Networks also added:

Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third-party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.