Looks like nobody can be assured of being safe in this modern cyber world. And looks like that includes MacOS as well — an OS once considered almost invincible to cyber attacks. Ransomware has hence, finally debuted on MacOS, and the debutant has been dubbed as “KeRanger”.
The attack was detected by the team of researchers at Palo Alto Networks who have termed it as “the first fully functional ransomware seen on the OS X platform.”
This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,
said Ryan Olson, threat intelligence director at Palo Alto.
Ransomware named as KeRanger has reportedly come from a copy of a popular program called Transmission used for downloading torrents through a BitTorrent peer to peer connection network. The users who have directly downloaded the app version 2.90 of Transmission from its website are reported to have the infection.
The said version was released on Friday and has been taken down by Transmission team who have now urged the users to download and install a new upgraded version 2.92 which would wipe out the ransomware but this has to be done before the three-day deadline of ransomware after which it would get activated.
Once fully active on a system for which takes it three days(the third day will be today and we may begin to see the effects being reported by the users now), it will encrypt the files on the Mac and then ask for a ransom of 1 bitcoin(around $400) from the users to retrieve the system.
According to the researchers, it was able to bypass Apple’s Gatekeeper protection because it was signed with a valid Mac app development certificate. Apple said that it has already revoked the digital certificate to prevent further infections and refused to provide any other details.
To check if you have traces of infection, follow these steps recommended by Palo Alto labs and Transmission:
- Look for a file called “Applications/Transmission.app/Contents/Resources/ General.rtf” or “/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf”. If you find it, delete your Transmission app.
- Using the Activity Monitor, check for a process called “kernnel_service” is running. If you find it, choose Open Files and Ports from the app and search for a file name that looks anything like “Users/<username>/Library/kernel_service”. If you find it, force quit the process.
To clean up your system, follow the guidelines posted by Palo Alto team in this blog post.