Who are the real victims in Apple ransomware campaign?
The news about the first fully functional ransomware targeting OS X users has become an over-hyped subject on the web. According to Palo Alto Networks, last weekend hackers managed to infect the open source Transmission BitTorrent app with something called 'KeRanger'.
According to Chris Vickery, MacKeeper Security Researcher, “ransomware that targets Apple devices was bound to appear sooner or later. Сriminals behind this campaign are likely to be testing the waters to see how profitable an Apple-centric ransomware attack can be. A lot of effort was put into this, and they had to burn some valuable assets (e.g. a rogue certificate). Personally, I don't think this campaign will prove to be very profitable for the bad guys, but the public relations damages for Apple and the Transmission team will likely be large."
Mac users have become not so vulnerable as suggested by media, especially as compared to PC users. Apple has reacted promptly and withdrawn the security certificate within hours. Now anybody who tries to open the harmful application gets the warning message: “Transmission.app will damage your computer. You should move it to the Trash.”
However, there are still a lot of exaggerated claims about the “ransomware” threat. There’s a tiny chance that your Mac has been infected. If you do not use Transmission, you can stop reading at this point. Otherwise, we’ve got several tips on how you can stay completely safe even after downloading Transmission.
Currently, it’s not entirely clear how the hackers managed to replace original Transmission installers with their compromised copies. Anyway, we know that KeRanger bypasses Apple’s Gatekeeper and is capable of encrypting important files, e.g. Time Machine backups making them unavailable for original owner.
Once installed, the ransomware remains inactive for three days and then connects to the remote command and control servers by using the Tor network. At the same time, the malware starts the encryption process, which is targeted at important documents and files on the hard drive. When the encryption is over, the user gets a notification urging to pay one bitcoin (approx. $400) to get the sensitive data back.
Transmission Project has already removed the compromised installers from its website whereas Apple has updated its antivirus signatures and cancelled the unsafe certificates to make sure that nobody gets infected again.
What You Can Do
If you use MacKeeper and have Transmission installed on your Mac, make sure you check out the Update Tracker tool for the newer build of Transmission v.2.92.
Palo Alto Networks strongly suggests that all Transmission BitTorrent app users should check whether their Macs have been infected with the aforementioned ransomware. We strongly recommend following the steps below.
Use the Finder or Terminal to determine whether any of the paths exist:
/Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist.
If you find any of the abovementioned paths, delete the Transmission application as soon as possible.
2. Open the Activity Monitor utility and check if any process called “kernel_service” is running.
Double check each process, click “Open Files and Ports” and make sure that you don’t see “/Users/<username>/Library/kernel_service”. That’s the main process of KeRanger, so in case you have it running, choose “Quit > Force Quit”.
Check the “.kernel_pid”, “.kernel_time”, “.kernel_complete”, and “kernel_service” files in the ~/Library folder. If you locate any of these, delete them.