Researchers from Palo Alto Networks are reporting the spread of a fully functional ransomware that is aimed at Mac users. The Mac Ransomware is being spread through the official website of the Transmission BitTorrent client. Someone seems to have hacked into it and replaced the original one with the infected one. The ransomware in question is called KeRanger and is included in version 2.90. If you downloaded the client after March 4th, then you probably have it on your Mac right now.
This is the first time Mac users have been targeted by a fully functional Mac Ransomware. Previously, the ransomware that were not completed were built just as a proof-of-concept and never released out in the open. The two previously build ransomware include FileCoder and Mabouia. KeRanger is however of a different league and seems to be a direct copy of crypto-ransomware families that are targeting Windows and Linux machines right now. What KeRanger does is, it uses AES encryption to lock files and demands a payment of 1 Bitcoin, which is around $400. It supports over 300 file extensions and is highly dangerous.
Now, this part of the article is the most important. KeRanger lays dormant for a period of 3 days before it starts its encryption process. That means users who downloaded the client after March 4th may still have a chance of removing it. Once the encryption starts, there is no other alternative other than paying the ransom. KeRanger has a host of unfinished features included in it that will allow it be more functional. It used a stolen certificate to bypass Apple’s GateKeeper protection system. However, Apple has revoked the certificate and updated their antivirus signature to protect victims in the future.
Transmission open-source project has already removed the infection from their site and has issued a brand new version. The version 2.92 is free of the Mac Ransomware. If you are a user of Malwarebytes-Anti-Malware, then scan right now for OSX.Ransomware.Keranger and remove it as soon as possible.