Ransomware named KeRanger was discovered by security firm Palo Alto Networks on Friday, March 4th. Crackers somehow managed to upload two modified installers of Transmission for OS X onto Transmission's servers.

Palo Alto Networks immediately notified both Apple and Transmission about the compromise. Transmission removed the infected installers, updated the software and pushed a notification that users will see upon running Transmission:

Read Immediately!!!!

Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the “OSX.KeRanger.A” ransomware (more information available here) is correctly removed from your computer.

Users of 2.91 should also immediately upgrade to and run 2.92. Even though 2.91 was never infected, it did not automatically remove the malware-infected file.

Apple also responded swiftly, removing the compromised certificate used by the developer to sign the installer. Mac’s built-in security feature ‘Gatekeeper’ is now blocking the compromised installer on systems. The company has also updated its built-in anti-malware software XProtect, and the signature has been automatically updated to all Mac computers now, said Palo Alto in a blog post.

Are you infected?

The compromised version of Transmission is 2.90 that was uploaded on March 4. So if you updated Transmission on or after March 4, chances are that you have the infected installer on your system.

You can easily check if your system is compromised. Go to the Applications folder, and Control-click on the Transmission app to choose ‘show package content’ and then go to the Contents/Resources directory and check if there is a ‘General.rtf’ file. If the file is there, you are infected.

Palo Alto Networks said in a blog post that General.rtf looks like a normal RTF file but it’s “actually a Mach-O format executable file packed with UPX 3.91. When users click these infected apps, their bundle executable Transmission.app/Content/MacOS/Transmission will copy this General.rtf file to ~/Library/kernel_service and execute this “kernel_service” before any user interface appearing.’

Once installed, KeRanger waits for three days before connecting to its servers to start the encryption. KeRanger will encrypt every file – from images to movies to documents -- in the /Volumes and /User directories. Once the files are encrypted the crackers demand ~ $400 in bitcoins to decrypt the files.

That means those who are infected will be locked out of their Mac OS X files today.

The security firm said that KeRanger is in active development and is also working on encrypting TimeMachine backup files so that users can’t deny ransomware and restore files from backup.

A few weeks ago we saw a similar kind of attack on open source operating system Linux Mint where crackers hacked the Linux Mint website and changed download links to a new locations hosting compromised images of the OS. But in the case of Transmission, crackers managed to upload software on Transmission’s servers.

While it's still not known how crackers managed to upload the compromised installer onto the Transmission site, it is clear that open source projects need to take some measures to protect users. And there is lesson here for users as well: Disable automatic updating of software and install updates only after review.

KeRanger isn't the first ransomware for Mac OS X (Kaspersky discovered FileCoder back in 2014), but it is the first fully functional OS X ransomware.