What you need to know about the KeRanger ransomware found in the Transmission app

By , Mar 6, 2016

OS X KeRanger ransomware Transmission app

Users of the popular open-source Transmission BitTorrent client for OS X were in for quite a surprise this weekend when it was discovered that certain installers for version 2.90 of the application were found to bundle unwanted ransomware with the installation, which is a type of malware that restricts file access across the system to cause trouble for the user.

Dubbed KeRanger by security research firm Palo Alto Networks, the malicious software will try to encrypt the user’s system files in such a way as to tamper with the user’s access to their Mac and then force the user to pay money to get their access back.

The makers of the Transmission app are now pushing immediate mandatory app updates to remove the ransomware and fix the problem for those that may have been affected, and it’s recommended for all users, but how do you know if you’re affected?

How KeRanger works

Palo Alto Networks reports that the KeRanger was using a valid signed Mac Developer certificate at the time, which allowed it to bypass the protections of Apple’s Gatekeeper software. Fortunately, Apple has since revoked access to that specific certificate since Palo Alto Networks reported the issue to not only Apple, but also the Transmission development team.

The malicious Transmission installer for the infected version 2.90 installer could be differentiated from the typical Transmission installer by an extraneous “General.rtf” file, which looked like a legitimate .RTF file. Unfortunately, it was just a mask covering a Mach-O format executable file, and this means that upon launching the app, the user would not realize the malware was being copied to their system.

Once copied and installed on the system, KeRanger is set to lay dormant for 3 days, and since it was created on March 4th, this means it will start activating on users’ machines on Monday, March 7th if it’s not fully removed.

When KeRanger activates, it will begin encrypting files across the user’s Mac and “hold them for ransom,” hence the name ‘ransomware.’ The malicious software then tries to scam the user into paying 1 bitcoin (almost $400) to unencrypt the system.

Who KeRanger affects

The KeRanger ransomware doesn’t affect everybody who uses the Transmission app. It only affects some users who downloaded version 2.90 of the app from the Transmission website and installed it on their Macs between the times of 11:00 A.M. PST March 4th and 7:00 P.M. PST March 5th.

This version is known to have been bundled with the KeRanger ransomware by anonymous attackers, although it’s not completely understood how it got there. Speculation lands the blame on a website security breach, and a tampered-with installer may have been placed on the website shortly after.

Update: Transmission says the software was uploaded to the servers through a security breach and that approximately 6,500 people downloaded the ransomware.

For those downloading Transmission from the website right now, have no worries, because the developers have since pulled the known malicious installer and replaced it with a working installer. The most recent version as of this writing is 2.92.

Removing KeRanger from your Mac

The Transmission developers have just released Transmission 2.92, and this version of Transmission is made to automatically search for and remove the KeRanger malware from your Mac.

With that being said, if you believe you’ve been infected by KeRanger, you should probably grab this new version of Transmission and install it as soon as possible because KeRanger will activate Monday, March 7th to start encrypting your Mac’s files if you’re one of the unlucky infected folks.

To check your Mac to see if you’ve been infected with the KeRanger ransomware and to remove it manually, you can follow these steps, which have been provided by Palo Alto Networks:

1) Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.

2) Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/<username>/Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.

3) After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.

Wrapping up

If you use the Transmission app for OS X, you should be very cautious and follow all steps necessary to ensure you’re not infected with the KeRanger ransomware. Installing the latest version of Transmission on your Mac should be enough to ensure any traces of the ransomware are removed from your system, but it never hurts to follow the steps above to check for yourself manually.

Were you infected by the ransomware bundled with Transmission for OS X? Share in the comments.

  • Share:
  • Follow:
  • Chris Wagers

    So is it that the certificate being used belong to transmission developers? Site got hacked and file was altered? So how do we know if they got in once they won’t get in again? Transmission developers really should be more transparent and tell what they’ve done to make sure this doesn’t happen again. Maybe they have and I it just wasn’t posted here? If so my apologies. Why would hackers infect something with such a small user base? Why not infect something that millions of users install? Just some questions if anyone can answer that would be great if not that’s fine too.

    • Chris

      No, Apple have revoked the certificate used (which belonged to KeRanger) to sign the malware along with blacklisting it in their XProtect service which prevents it from running without a users input.

      • 5723alex .

        Hackers can use another developers certificates.

      • Chris Wagers

        Ok that explains it I guess. Thank you!

      • Chris

        The certificate used wasn’t the same one Transmission used.

      • Chris Wagers

        Thank you! So keranger is a company that develops something beside this malware?

      • AppleBetas

        No, they just used a developer certificate from Apple, either stolen from another developer, or signed up for with fake information (and the fee paid).

    • It’s not yet known how exactly the hackers got into the Transmission website to upload an infected installer, but it looks as though Transmission has taken control of its own website again and the latest installer will fix things.

      They haven’t been very public about how or why it happened, and no guarantees should ever be made because nothing is hack-proof. On the other hand, they were very quick to fix the problem before the timer finished for the ransomware, which is good support in my book.

      • Chris Wagers

        So maybe they just don’t know what happened yet and that’s why they aren’t saying I hope anyway.

  • I kinda want to try this just to see what it’s like… I’m assuming a full system format would get rid of it right?

    • Chris Wagers

      Yes you can restore from backup. Or just restore will work too.

      • I’d go for a restore. I’m on 10.11.3 and I’d like to go back to 10.11.2 lol

    • Elias Chao

      But you’d lose access to your files.

      • That’s the point… I have everything backed up and I’ve never had a malware like this before. It would be interesting to see how it locks down my computer.

      • Elias Chao

        Oh, if you have everything backed up, there shouldn’t be any problem. A full system format should get rid of it.

      • cuddyphoto

        make sure your backups are not connected, malware could encrypt the backup…

  • iPhoneWINS

    lol damn wtf

  • I deleted Transmission from my Mac the second I heard about this. I don’t torrent stuff anyways.

  • Mr_Coldharbour

    Sad to see this happen to the best BitTorrent client that I have ever used. Needless to say I deleted the app and any traces of it as soon as I heard about the news which was pretty damn quickly. Even though I had the app installed from a while now and performed the 2.90 update over a week ago straight through the in-app update prompt, I still deleted the app. Sad to see it go but it had to be done.

  • Been using uTorrent for years and not switching.