On the 4th of March, 2016, security firm Palo Alto Networks discovered the KeRanger ransomware coded into the Transmission BitTorrent client installer. As Palo Alto Networks published their report on the 6th of March, the news broke through the Internet via the tech blogs.

For the most part, Mac users have rested in the thought that malware outbreaks, let alone ransomware, have never infiltrated their systems. So much so, that there’s a running belief that Macs are impervious to such malevolent software.

In 2015, however, proof of concept was demonstrated by Brazilian security researcher Rafael Salema Marques, through the file-based crypto ransomware “Mabouia.” At the time, around November 2015, the concept was merely that: A concept, albeit demonstrated. Today, a real, live, ransomware is on the loose.

How Ransomware KeRanger Broke Loose

The ransomware “KeRanger” first broke loose through the BitTorrent client “Transmission.” “Transmission” is an open-source app, and it could be used with the Tor anonymous network.

While Transmission in itself has had a long history of being a safe computer program, Palo Alto Networks discovered that two of its .dmg files for version 2.9.0 had been infected, following a website breach.

The Good News And The Bad News

The good news is that Transmission already released version 2.9.2, which includes tools to remove the malware-infected files. The other good news is that Apple has already taken steps through its Gatekeeper system, and users will no longer be able to download the infected installer itself.

The bad news is that users who have downloaded and installed the infected 2.9.0 file will have to manually troubleshoot their Macs.

How To Troubleshoot Your Mac If You’ve Installed The Infected Transmission 2.9.0

  1. Immediately uninstall Transmission 2.9.0.
  1. Check if the malware is in your system.
    • Go to Activity Monitor. Look for the process “kernel_service.”
      • If you find this process, terminate it through the “Force Quit” command.
    • Using Terminal or Finder, look for these two files:
      • /Applications/Transmission.app/Contents/Resources/ General.rtf
      • /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf
      • If you find these in your Mac, delete these immediately. Don’t forget to empty the trash.
    • Go to the ~/Library directory, and check if these files are present:
      • “.kernel_pid”
      • “.kernel_time”
      • “.kernel_complete”
      • “kernel_service”
      • Delete all these files if you find them.
  1. Immediately install Transmission 2.9.2. It will have tools to check if KeRanger has been fully removed from your system.
    • After you use Transmission 2.9.2 to check if you still have KeRanger on your Mac, you may remove it if you decide to quit torrenting.
    • If you would prefer to keep torrenting files, then by all means, Transmission 2.9.2. is no longer infected, and as outlined, it will even help you remove the infected files.

So What Ransomware KeRanger Does Exactly?

Now that the more urgent part of removing KeRanger from your Mac is out-of-the-way, you may wonder what KeRanger could have done to your system.

As the name suggests, “ransomware” hijacks files or your entire computer or device and holds it for “ransom.” You won’t be able to access certain files, or even your entire PC until you pay the fee demanded by the creators of the ransomware.

For KeRanger specifically, the ransomware doesn’t ask for or need root access to the Mac. All it does is encrypt files especially important to the end-user, such as photos, music files, and documents. According to Wired, KeRanger lies dormant for 3 days after the install, then looks for a range of 300 file types, .doc, .txt, .jpg, and.mp3.

The ransom value for KeRanger’s victims is 1 bitcoin or around $400 USD.

Do NOT pay the ransom AT ANY COST. Just follow the steps outlined above and you’d get rid of it.

When you pay the ransom for your media, you only encourage the “industry” of hackers and malware creators to keep making ransomware and other malware.

Moving Forward: How To Protect Yourself From Ransomware

  • Luckily, KeRanger is deployed very specifically, namely through the download and installation of Transmission 2.9.0. Unlike Windows and Android ransomware, the deployment isn’t through an all-encompassing campaign. So, there’s no real reason to be paranoid that any click of certain file types would infect your system. Since Transmission and Apple have done their due diligence and damage control, the only thing left to do is to follow the steps we previously outlined.
  • Moving forward, avoid downloading and installing apps that are not on the Mac App Store. Even though KeRanger managed to go undetected by Apple’s Gatekeeper app monitoring system, for the most part, the Mac App Store is policed and you can be assured that there’s less of a risk of downloading infected apps from there. The risk of mistakenly downloading malware-infiltrated apps grows when you download apps from third-party sites.
  • If you could steer clear of torrenting files, you should. There’s just a whole lot of risks when downloading and using cracked and pirated files, that it’s just not worth getting a free ride, or a free app, anymore. If you’re on Transmission and Tor for other reasons, such as software development, well, you seem to know what you’re doing, and you’ll be likely to be able to damage-control the situation if you ever realize you’ve downloaded KeRanger somehow.

Macs have had their moments of being attacked by malware, though the cases are rather rare, and they have been quickly contained by Apple, in cooperation with their developer community. In the case of the KeRanger outbreak, it was certainly an object lesson in the fact that a malware, ransomware outbreak could happen on Macs, too. It was an in-your-face reminder that Macs could be hijacked, and for a pretty penny.

While the fact that OS X is still a Unix-like system, which gives it an edge over Windows, most experts point to the fact that OS X and Macs have a lower market share than Windows as a reason why it has not been targeted as much as Windows, until now.

Because Windows simply has a larger market share, hackers and malware coders have poured out their efforts more to making worms, Trojans, spyware, ransomware, for Windows. However, the implication of KeRanger’s success in infiltrating Macs via Transmission 2.9.0 is that this may be the first of a slew of attacks on the Mac.

Final Thoughts

According to Wired, if the KeRanger campaign turned in a good profit for the hackers behind this, this could trigger more incidences of attempts at creating bigger, better, more virulent malware for the Mac.

Let’s hope that the quick damage control discourages hackers the world over from concerting their efforts on the Mac. As for Windows and Android, here’s hoping that both ecosystems boost their efforts in keeping the end-users’ systems secure.