Apple Mac OS X meets ransomware hell; Internet cries out in terror

Apple Macintosh OS X ransomware in Transmission 2.90, dubbed KeRanger. It should be a loud wake-up call to those still blissfully unaware.

Apple Macintosh OS X ransomware transmission
Credit: Transmission Project

Apple Mac OS X isn't immune to ransomware, nor to other malicious maladies (in case you're blissfully unaware). Last week, criminals broke into the Transmission BitTorrent client site, adding nasty ransomware into the installation package (this malware got dubbed KeRanger).

The installer download that was available earlier this month -- v2.90 -- is the bad version, so go get 2.92 now, if you've installed it. Please hurry, before it destroys all your data, OK?

In IT Blogwatch, bloggers verify their backups. Not to mention: Nirvana's Smells Like Teen Spirit, on a trad. Korean Gayageum

curated these bloggy bits for your entertainment. [Developing story: Updated 9:03 am, 11:04 am, and 8:56 PT with more comment]


What's the craic? Jim Finkle reports—Apple users targeted in first known Mac ransomware campaign:

Apple...customers were targeted by hackers...in the first campaign against Macintosh computers using...ransomware, researchers with Palo Alto Networks Inc [said. It] encrypts data [and] asks users to pay ransoms...to get an electronic key so they can retrieve their data.

Hackers infected Macs through a tainted copy of...Transmission, which is used to transfer data through...BitTorrent. [Apple has] taken steps over the weekend to prevent further infections by revoking a digital certificate. ... Representatives with Transmission could not be reached for comment.


Welcome to hell, Mac fans. Benjamin Mayo gets saucy—First OS X ransomware detected in the wild:

It is becoming increasingly common on Windows for...malware to maliciously encrypt user data. ... It is not recommended to actually pay the malware as it only encourages further malicious action.

The recommendation is to restore to an earlier backup...before you installed Transmission. ... It is unknown if it is more widespread, affecting other common apps.


Who discovered it? Claud Xiao and Jin Chen did—New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer:

On March 4, we detected that the Transmission...installer for OS X was infected with ransomware. ... We have named this Ransomware “KeRanger.” The only previous ransomware for OS X we are aware of is FileCoder [which] was incomplete at the time of its discovery. [So] we believe KeRanger is the first fully functional ransomware seen on...OS X.

If a user installs the infected apps, an embedded executable file is run. ... KeRanger then waits for for three days [and] then begins encrypting certain types of document and data files.

Infected Transmission installers include an extra file named General.rtf. ... It uses an icon that looks like a normal RTF file but is actually a Mach-O format executable.

General.rtf will collect infected Mac’s model name and UUID, and upload the information to one of its C2 servers. ... After connecting to the C2 server and retrieving an encryption key, [it will] encrypt all files under “/Users”, and encrypt all files under “/Volumes” that have certain file extensions.

Users who have directly downloaded the Transmission installer from the official website after 11:00am PST, March 4...before 7:00pm PST, March 5...may be been infected. ... Users of older versions of Transmission do not appear to be affected.


Did someone say "encryption"? We need a link to the Apple/FBI spat, thinks not trending:

Gawd - this scheme makes me so angry. This is the other side of the privacy discussion - it's basically impossible, if I understand this correctly, to track those bitcoins, and link the account to a person (and nail them).


But wait, how come the installer got signed with a valid Apple certificate? Here's Mike Flaminio:

The certificate situation is interesting. It sounds like the hackers generated an authentic certificate with Apple.

It calls into question...Apple's process for issuing certificates to developers. [It] would seem to basically break the secure system.

This is concerning because people are relying on Gatekeeper. ... One security measure to utilize is a software firewall. ... I've used Little Snitch for many years.


Update 1: For the avoidance of doubt, this is looking less and less like a big deal. Chris Mills gets drinky and sweary—Yes, Ransomware Can Affect Macs Too:

The paranoid corners of the Internet [are] freaking out today. ... Put down the emergency whiskey.

Before you go burn your electronics and move to a Farady-caged cave...here’s the good news: it’s an incredibly limited attack vector. ... It’s also easy to detect and rectify—Palo Alto noticed the virus...and Apple removed the signing certificate.

[So] don’t freak out, just choose your shady torrenting client a little better. ... And back your **** up.


Any other smart advice from the peanut gallery? Jim Lynch sounds a bit paranoid—Why you should stick with the Mac App Store:

Perhaps some of you...might think I'm paranoid. [But the news] is a huge warning shot across the bow of all Mac users.

I'll be getting all of my software from the Mac App Store from now on. ... When I first heard...I did a bit of a double take.

Just to be on the safe side, I grabbed my home folder and put it on an external drive. ... I then did a clean install of OS X El Capitan. ... I prefer to be safer than sorry.

I know that a lot of people are down on the Mac App Store. ... But I still think it can be quite useful. [I try] to get most of my software there. [But] after I did my clean install...I changed my security settings to allow app installs only from the Mac App Store.

The important thing...is to eliminate the possibility of...a third party's web site putting my Mac at risk. ... The popular Linux distribution Linux Mint also had its site...hacked, and some folks downloaded versions...that had been tampered with. ... This kind of attack seems to be becoming more and more popular.


Update 2: "Digital certs don't make your software secure." That's the lesson here, according to NotInHere:

In fact, in this case probably [to] the contrary. I guess the developer was not part of the developer team for transmission.

If it were easy to package software for macs without having to pay lots of fees, the dev team could have done it themselves. Apple really should give free dev licenses to free software developers. ... Github does something like that too.


Interesting point. But this Anonymous Coward doesn't agree:

$99 a year isn't an exorbitant fee. ... Thats the only part of Apple's developer programs that require cost.


Only $99/year? Try four times that, according to butzwonker:

It can be exorbitant for small developers. ... You also need to buy Macs every 3-5 five years in order to be able to stay afloat.

Let's say you only update your machine every 5 years. ... A realistic estimate for the real development costs is USD 99 x 5 + USD 1300 MacBook Pro 13 + USD 249 Apple Care for MacBook Pro 13 for a total of USD 2044 / 5 years or USD 409 per year. ... For small shareware and occasional developers these costs can be prohibitive.

And don't forget that Apple additionally takes 30% of all your revenue. ... So the real costs for individual developers are much higher.


Update 3: What does it mean? Dan Tynan puts it really simply—What It Means:

Apple users just got some bad news. ... Here’s what you need to know about this attack, and how to protect yourself.

Imagine coming home to find a big padlock on your front door and a criminal...demanding money to let you in. ... Individual ransoms can range from $200 to $10,000. ... The most common ransomware...infected more than 400,000 machines in 2015.

Apple users must face the fact that their machines are at risk. ... Approximately 6,500 copies of the infected software were downloaded before the problem was detected.

You avoid ransomware the same way you avoid any malware infection. ... Don’t casually click a link inside an email. ... Never open an attachment unless you were expecting to receive it. ... Never install software just because a Web site tells you to. ... And always keep a backup copy of all your personal files.

And Finally…

Smells Like Teen Spirit, on a traditional Korean Gayageum, by Luna Gayageum
[hat tip: David Pescovitz]


You have been reading IT Blogwatch by , who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or itbw@richi.uk.
Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies