SoylentNews
SoylentNews is people
https://soylentnews.org/

An Anonymous Coward writes:

Following closely upon the hacking of the Linux Mint website, the developers of the Transmission bittorrent client have announced that last week's 2.90 release was infected by a new form of OSX malware, OSX.keRanger.A (or "KeyRanger" as 9to5mac is calling it).

The payload appears to be the first OSX ransomware discovered in the wild. If it works, OSX.KeRanger.A should begin encrypting infected users' files on Monday, March 7. The malware seems to have been included only in downloads from the developers' website, while Transmission's internal update function (using the Sparkle framework) seems to have delivered clean updates. The developers have released two updates (2.91 and 2.92) in the past twenty-four hours to remove the infection.

Those who use Transmission on OSX should check for the following on their systems:

• a process called "kernel_service" running
• a file "Contents/Resources/General.rtf" inside the Transmission.app directory
• any of the following files in the "/Library/" directory: ".kernel_pid", ".kernel_time", ".kernel_complete" or "kernel_service"

[Update:] According to a report in ITWorld, Apple shuts down first-ever ransomware attack against Mac users.

With the help of security researchers, Apple over the weekend quickly blocked a cyberattack aimed at infecting Mac users with file-encrypting malware known as ransomware.

[...] The tainted Transmission version was signed with a legitimate Apple developer's certificate. If a Mac user's security settings are set to allow downloads from identified Apple developers, the person may not see a warning from Apple's GateKeeper that the application could be dangerous.

Apple revoked the certificate after being notified on Friday, [Security company] Palo Alto wrote. The company has also updated its XProtect antivirus engine.

After it is installed on a system, KeRanger waits three days before connecting to a remote command-and-control server using the Tor system. It is coded to encrypt more than 300 types of files.

Original Submission

1. "the hacking of the Linux Mint" - https://soylentnews.org/article.pl?sid=16/02/21/0517219
2. "Transmission" - https://www.transmissionbt.com/
3. "have announced" - https://trac.transmissionbt.com/wiki/Changes#version-2.92
4. "OSX.keRanger.A" - http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/
5. "9to5mac" - http://9to5mac.com/2016/03/06/first-os-x-ransomware-detected-in-the-wild-will-maliciously-encrypt-hard-drives-on-infected-macs/
6. "2.91" - https://trac.transmissionbt.com/wiki/Changes#version-2.91
7. "2.92" - https://trac.transmissionbt.com/wiki/Changes#version-2.92
8. "Apple shuts down first-ever ransomware attack against Mac users" - http://www.itworld.com/article/3040986/apple-shuts-down-first-ever-ransomware-attack-against-mac-users.html
9. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=12559

printed from SoylentNews, Transmission 2.90 Infected with First Known OSX Ransomware [Updated] on 2023-06-16 16:24:09