The program was discovered by Palo Alto Networks. Called KeRanger, it lies dormant for three days after being installed before waking up, encrypting the majority of the Mac’s directories and demanding 1 bitcoin (around $410) from the user to reverse the process.
The malware encrypts all the files under the “/Users” and “/Volumes” directories on a Mac’s hard drive. It targets 300 different file extensions, ranging from emails and popular document, image and video formats to compressed archives, source code, database files and security certificates.
KeRanger was found being distributed by the installer for popular free torrent client Transmission. It remains unclear how the malware infected the original installer, a major lapse in security for the open-source project. The most likely explanation is its website was hijacked and the download link replaced with a re-compiled version of the program.
In a post on its website, the team behind Transmission advised “everyone” using version 2.90 of the program to immediately upgrade to version 2.92. The new version will automatically eradicate the malware and cleanse the system. Users of version 2.91 should also upgrade — although it wasn’t infected with KeRanger, it doesn’t automatically destroy the malware if present, potentially leaving it dormant on the computer.
KeRanger is believed to be the first ransomware developed with Mac OS X in mind. Over the past few years, the popularity of the new form of malware has soared on Windows, helped by high-profile programs such as Cryptolocker. Mac has remained unnoticed though, in part because the cybercriminals haven’t needed to seek revenue from the smaller platform because of the success they’ve found on Windows.
“The fact that it [ransomware] hasn’t made it to Mac shows that it’s had a great amount of success on the Windows side,” said Palo Alto Networks researcher Ryan Olson to Ars Technica. “But the fact that [the KeRanger malware] was distributed through a legit application demonstrates that we will see this again.”
Ransomware is one of the fastest growing malware forms and is slowly spreading across platforms. Recently, hackers managed to profit $17,000 from a Los Angeles hospital that was forced to pay up after all its computers became infected with ransomware.
Palo Alto reported KeRanger to Apple and the Transmission contributors on March 4. Both parties responded quickly and the infected Transmission installer was removed from the website. Apple has since blocked an antivirus signature used by Transmission v2.90, preventing OS X from opening the infected installer. Anyone using the affected program version should upgrade to version 2.92 immediately.