OS X ransomware found bundled with legitimate software

Palo Alto researchers have discovered the first fully functional ransomware aimed at Mac users.

The malware, dubbed KeRanger, has been found on Friday (March 4), bundled into the Mac version of the popular open source Transmission BitTorrent client, and made available for download on the Transmission developers’ official website.

The website now sports an alert on the main page, saying that everyone running version 2.90 of Transmission on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file.

This new version includes a removal tool for the KeRanger ransomware. “Users of 2.91 should also immediately upgrade to and run 2.92. Even though 2.91 was never infected, it did not automatically remove the malware-infected file,” the developers noted.

It seems likely that Transmission’s official website was compromised and the files were replaced with re-compiled malicious versions of the client, but how the compromised happened is still unknown.

KeRanger functions like most malware for Windows and Linux: it contacts the C&C servers via the Tor network in order to receive the encryption key, encrypts files on the machine (documents, images, audio and video files, archives, source code, databases, emails and certificates), and asks the victim to pay one bitcoin (some $400) in order to get their files back.

OS X ransomware

There are a few intersting things about it:

  • It hides in the malicious Transmission download bundle by pretending to be an RTF file
  • It is signed with a valid Mac app development certificate, allowing it to bypass Apple’s Gatekeeper
  • It does not spring into action immediately, but waits for three days before starting the file encryption process
  • There are indications that the malware is still under development, and that in the future will be able to open a backdoor into the compromised system and to encrypt Time Machine backup files.

“Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger,” Palo Alto researchers warn. “If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks.”

The Transmission Project has removed the compromised Transmission installers from the website on Sunday. Apple has revoked the abused certificate and updated XProtect signatures almost immediately after they were notified by the researchers. Uusers who tried to run the malicious Transmission installer on Saturday were puzzled by the fact that their Macs were warning them about malware and prevented the installation.

“The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform,” the researchers concluded.

Share this