Ransomware Threat Targets Macs Through Legit App

| News

Mac users are facing their first serious ransomware threat that targets OS X specifically. The malware, dubbed KeRanger, was embedded in the Transmission BitTorrent client app and was available through the developer's website.

Security research firm Palo Alto Networks reported the threat over the weekend, noting the compromised version of Transmission was signed with a valid Mac developer certificate which let it slip by Apple's Gatekeeper protection measures. Apple quickly revoked the app's certificate to prevent it from launching.

Palo Alto Networks described KeRanger saying,

If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files.

The malware appears to be trying to encrypt Time Machine backups to prevent victims from restoring their system to a pre-infected state.

The Transmission development team pulled the malware-laden version of their app and replaced it with an update that doesn't include KeRanger and also removes the malware elements from victim's computers.

Apple's OS X hit with ransomware threat through Transmission appApple's OS X hit with ransomware threat through Transmission app

The Transmission website has a warning advising users who installed versions 2.90 and 2.91 to update immediately to version 2.92. The 2.91 release doesn't include the malware, but also doesn't have the malware removal feature that's in 2.92.

It isn't clear how a malware-loaded version of the app was on the official Transmission website and was signed with the correct Apple developer certificate. It's possible the site was somehow hacked, but right now there isn't any official word on what happened.

What makes KeRanger interesting is that it's the first malware of its kind targeting OS X specifically. Previous ransomware threats Mac users have faced came through Safari and Synology's NAS DiskStation Manager tools.

It's also interesting that the malware was embedded in a legit app distributed through the developer's website, and that they seemed unaware there was an issue.

Considering KeRanger seems to be in an active development state, we could see similar threats appear in other Mac apps at some point, too. Encryption, it seems, has a dark side, too.

KeRanger is an excellent reminder we need to pay close attention to the sources for the apps we install on our Macs, iPhones, and iPads. Even still, it's possible for malware to slip through, just as it did with Transmission 2.90.

Apple is doing its part by blocking apps from launching via Gatekeeper, and that updates automatically for you. If you're using virus protection software, make sure to regularly check for updated definition lists.

In the case of KeRanger, there isn't a specific weakness in OS X that's being exploited. Instead, the ransomware is being delivered Trojan horse-style by piggybacking on a legit app. Victims trust the app to be safe because it's signed with a legit developer certificate, and someone took advantage of that. Hopefully the Transmission team will find a way to prevent that from happening again, and other app developers will learn from this incident so they don't fall prey to similar hacks.

Popular TMO Stories


Lee Dronick

Software from an unwalled garden




That “Walled Garden” sure has made you immune to malware!


Yes, for OS X there is exactly 1, for Windows the number is in the neighborhood of close to 18,000,000. What an epic failure on Apple’s part. raspberry


The issue is that the “Walled Garden”, the MacAppStore, is a failure so people are having to go outside to get the Apps they need. I would much prefer to get what I need from a secure source like the MacAppStore, but there’s so little there. This should be a wake-up call for Apple.


It sounds to me like the repository hosting Transmission’s code was hacked and no one there seemed to notice the unauthorized commits.

Lee Dronick

Not everyone needs that apps that you need. Anyway the point is to get apps from trusted sources though of course even that isn’t foolproof.

Lee Dronick

We just had a TV anchor on a local San Diego station imply that this is a widespread problem.

Graham McKay

The boundaries of the App Store “walled garden” are drawn up in a way that gives Apple reasonable/good odds of detecting malware & crapware before the app is approved for distribution. The more you allow apps to play outside their “sandbox” the more difficult it is to confirm that they are not doing so in a malicious or dangerous manner. The example above of the ransomware waiting 3 days before “phoning home” is a case in point - can a test suite be expected to test for this?
There’s no easy answer to this type of problem as it is another flavour of the trade off between security & convenience.

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account