Ransomware for Apple OS X is real
Transmission “ransomware” is a popular Apple OS X torrent client, which was recently targeted by a group of hackers seeking to release a new version of ransomware named KeRanger, which is fully capable of targeting all mac OS X based devices.
Transmission’s main page was hacked on 04.03.2016 and the installer Transmission 2.90 was replaced with a malware infected file. All people that downloaded Transmission 2.90 and 2.91 should immediately update the program to version 2.92. Please note that while version 2.91 was never infected it also did not automatically remove the malware infected file.
- Even if you updated Transmission to 2.92 it is still a good idea to manually sweep your device for any remaining virus infected files. When you are dealing with dangerous viruses like ransomware extra caution is never wasted. You will find our detailed guide on how to remove KeRanger here (the malware hidden inside Transmission).
Some brief history
As Transmission is a fully open-sourced project it is highly likely that their page was hacked in order to release the malware infected installer. This is also supported by the fact that the infected installer was signed with a legitimate certificate that is, however, different from the certificates used to sign previous versions of the program. The certificate ID used to sign the malware infected version is Z7276PX673 and actually belongs to a Turkish software developer. It is highly likely that this ID has been stolen by the hackers as well.
As of now the compromised ID has been labeled as dangerous and an update has been distributed to all Apple OS X devices to block installation of any other software using the same ID. This, however, raises the issue of apples’ security as a whole – if an ID is that easily stolen what’s stopping hackers from releasing more malware using fake IDs? Hopefully Apple will take this incident to heart and improve on their system to prevent such incidents from repeating.
On the malware itself
The malware embedded into the Transmission 2.90 installer is actually something new to the Mac scene – a ransomware virus. For years now ransomware has been the scourge of PC users. This type of malware specializes in data encryption and it will render all of your files unusable. The only way to recover them is through a back-up, but that may not be an option for many people. The alternative is a hefty $400 ransom to be paid in BitCoins – an untraceable online currency favored by online criminals.
The malware file embedded in the installer pretends to be a .rtf file under the name of General.rtf. This is not actually a .rtf file, but rather a Mac-O format file packed with UPX 3.91. What this means is that when you run the infected Transmission program after installation it will copy General.rtf to the “~/Library/kernel_servic” on your device and execute it even before the interface windows opens. This entire operation is done in the background and you’ll be given no indication of the fact whatsoever.
Typically the ransomware will then sleep itself for 3 whole days, but it can also be remotely trigger at any time from a C2 Tor-based host. Devices without internet connection will have the grace period extended, because the ransomware needs the instructions needed to start the encryption from the remote host.
What does this mean for Apple in the future?
Not having to deal with ransomware and screen lockers is one advantage Mac users have held over the years, but things are about to change for the worst. Security researchers have found evidence of new features that are being worked upon, that will allow the ransomware to somehow block Apple’s Time Machine (the integrated back-up service) from functioning. Should that happen every device will be at the hacker’s mercy. Fortunately this functionality has not yet been completed and Apple software engineers may take a look at their work in order to set them back significantly. We can only guess why the virus was launched in such an unfinished state, but none of the options look good. Our personal guess is that the hackers needed financing in order to finish the job, so they decided to release the virus as means to raise revenue. This is also one of the main reasons why paying the ransom is never a good idea – the money will just be used to better the virus and release it again and again.
Is Mac no longer a virus-free safe haven? Can there be malware that blocks backup service? Share your opinion with us in the comments section below!