New ransomware targeting OS X was spotted in the wild

Yes, we all know that convenient, long-standing myth about OS X being immune to viruses and while Apple has done a great deal to secure the platform, it was bound to happen sooner or later – a ransomware application was caught infecting OS X machines.

Palo Alto Networks claims that the software, going by the name of “KeyRanger” is the first known case of a malicious encrypter running on OS X, other than a reportedly unfinished bit of code known as “FileCoder”, spotted back in 2014.

If you don’t know what ransomware actually is, it is basically a file encrypter that infects your system and in the case of KeyRanger, lays dormant for three days, after which it encrypts your files and asks you to pay a sizable amount of money (in bitcoin form) to an unknown organization to get them un-encrypted. The malicious code is already in the open and is being distributed as a part of the popular Torrent client app Transmission.

Just to clarify, it is not the work of the app developers, but Transmission has rather been employed as a host. Apparently, hackers got their hands on version 2.90 of the app package, so, if you are currently running that one, you might be infected. If the aforementioned three days haven’t passed yet, you might still have a change to delete KeyRanger before it locks you out of your files.

Specialists from Palo Alto Networks have released an in-depth analysis of the software and how it works, which you can check out at the source link, but generally suggest that users be on the lookout for a suspicious kernel_service process in Activity monitor and you can also check for the existence of a “General.rtf” file inside the Resources folder of Transmission.

But even if you don’t intend or want to get your hands dirty, both Apple and the Transmission team have taken swift measures. The former has revoked the certificate used by the affected app package, so it can no longer be installed. As for Transmission, it has issued an emergency version 2.92 update that claims to actively remove the ransomware files, if present.

Source | Via