OS X KeRanger ransomware Transmission app

Users of the popular open-source Transmission BitTorrent client for OS X were in for quite a surprise this weekend when it was discovered that certain installers for version 2.90 of the application were found to bundle unwanted ransomware with the installation, which is a type of malware that restricts file access across the system to cause trouble for the user.

Dubbed KeRanger by security research firm Palo Alto Networks, the malicious software will try to encrypt the user’s system files in such a way as to tamper with the user’s access to their Mac and then force the user to pay money to get their access back.

The makers of the Transmission app are now pushing immediate mandatory app updates to remove the ransomware and fix the problem for those that may have been affected, and it’s recommended for all users, but how do you know if you’re affected?

How KeRanger works

Palo Alto Networks reports that the KeRanger was using a valid signed Mac Developer certificate at the time, which allowed it to bypass the protections of Apple’s Gatekeeper software. Fortunately, Apple has since revoked access to that specific certificate since Palo Alto Networks reported the issue to not only Apple, but also the Transmission development team.

The malicious Transmission installer for the infected version 2.90 installer could be differentiated from the typical Transmission installer by an extraneous “General.rtf” file, which looked like a legitimate .RTF file. Unfortunately, it was just a mask covering a Mach-O format executable file, and this means that upon launching the app, the user would not realize the malware was being copied to their system.

Once copied and installed on the system, KeRanger is set to lay dormant for 3 days, and since it was created on March 4th, this means it will start activating on users’ machines on Monday, March 7th if it’s not fully removed.

When KeRanger activates, it will begin encrypting files across the user’s Mac and “hold them for ransom,” hence the name ‘ransomware.’ The malicious software then tries to scam the user into paying 1 bitcoin (almost $400) to unencrypt the system.

Who KeRanger affects

The KeRanger ransomware doesn’t affect everybody who uses the Transmission app. It only affects some users who downloaded version 2.90 of the app from the Transmission website and installed it on their Macs between the times of 11:00 A.M. PST March 4th and 7:00 P.M. PST March 5th.

This version is known to have been bundled with the KeRanger ransomware by anonymous attackers, although it’s not completely understood how it got there. Speculation lands the blame on a website security breach, and a tampered-with installer may have been placed on the website shortly after.

Update: Transmission says the software was uploaded to the servers through a security breach and that approximately 6,500 people downloaded the ransomware.

For those downloading Transmission from the website right now, have no worries, because the developers have since pulled the known malicious installer and replaced it with a working installer. The most recent version as of this writing is 2.92.

Removing KeRanger from your Mac

The Transmission developers have just released Transmission 2.92, and this version of Transmission is made to automatically search for and remove the KeRanger malware from your Mac.

With that being said, if you believe you’ve been infected by KeRanger, you should probably grab this new version of Transmission and install it as soon as possible because KeRanger will activate Monday, March 7th to start encrypting your Mac’s files if you’re one of the unlucky infected folks.

To check your Mac to see if you’ve been infected with the KeRanger ransomware and to remove it manually, you can follow these steps, which have been provided by Palo Alto Networks:

1) Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.

2) Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/<username>/Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.

3) After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.

Wrapping up

If you use the Transmission app for OS X, you should be very cautious and follow all steps necessary to ensure you’re not infected with the KeRanger ransomware. Installing the latest version of Transmission on your Mac should be enough to ensure any traces of the ransomware are removed from your system, but it never hurts to follow the steps above to check for yourself manually.

Were you infected by the ransomware bundled with Transmission for OS X? Share in the comments.