Ransomware Threat Targets Macs Through Legit App

Mac users are facing their first serious ransomware threat that targets OS X specifically. The malware, dubbed KeRanger, was embedded in the Transmission BitTorrent client app and was available through the developer's website.

Security research firm Palo Alto Networks reported the threat over the weekend, noting the compromised version of Transmission was signed with a valid Mac developer certificate which let it slip by Apple's Gatekeeper protection measures. Apple quickly revoked the app's certificate to prevent it from launching.

Palo Alto Networks described KeRanger saying,

If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.

The malware appears to be trying to encrypt Time Machine backups to prevent victims from restoring their system to a pre-infected state.

The Transmission development team pulled the malware-laden version of their app and replaced it with an update that doesn't include KeRanger and also removes the malware elements from victim's computers.

Apple's OS X hit with ransomware threat through Transmission appApple's OS X hit with ransomware threat through Transmission app

The Transmission website has a warning advising users who installed versions 2.90 and 2.91 to update immediately to version 2.92. The 2.91 release doesn't include the malware, but also doesn't have the malware removal feature that's in 2.92.

It isn't clear how a malware-loaded version of the app was on the official Transmission website and was signed with the correct Apple developer certificate. It's possible the site was somehow hacked, but right now there isn't any official word on what happened.

What makes KeRanger interesting is that it's the first malware of its kind targeting OS X specifically. Previous ransomware threats Mac users have faced came through Safari and Synology's NAS DiskStation Manager tools.

It's also interesting that the malware was embedded in a legit app distributed through the developer's website, and that they seemed unaware there was an issue.

Considering KeRanger seems to be in an active development state, we could see similar threats appear in other Mac apps at some point, too. Encryption, it seems, has a dark side, too.

KeRanger is an excellent reminder we need to pay close attention to the sources for the apps we install on our Macs, iPhones, and iPads. Even still, it's possible for malware to slip through, just as it did with Transmission 2.90.

Apple is doing its part by blocking apps from launching via Gatekeeper, and that updates automatically for you. If you're using virus protection software, make sure to regularly check for updated definition lists.

In the case of KeRanger, there isn't a specific weakness in OS X that's being exploited. Instead, the ransomware is being delivered Trojan horse-style by piggybacking on a legit app. Victims trust the app to be safe because it's signed with a legit developer certificate, and someone took advantage of that. Hopefully the Transmission team will find a way to prevent that from happening again, and other app developers will learn from this incident so they don't fall prey to similar hacks.