KeRanger: First Ransomware to Target Mac Users Found in BitTorrent Client

Over the weekend, a notification on told users to immediately upgrade Transmission, a popular open source cross-platform BitTorrent client, to 2.91, or delete version 2.90. The alert was caused by the discovery of "KeRanger", which is believed to be the world's first ransomware specifically designed to infect OS X machines.

The first clues of the attack came on the evening of March 5th, when forum users noted that installations of Transmission 2.90—downloaded via HTTP instead of Transmission's HTTPS site—contained malware.  The link change points to the likelihood that the Transmission website was likely compromised by attackers who replaced the legit installer with one that was re-compiled with malicious files. Those who downloaded the Transmission 2.90 installer from the official website between 11:00am PST of March 4 to 7:00pm PST of March 5 may have downloaded files that install KeRanger.1

The attacker used a valid Mac app development certificate to bypass Apple's Gatekeeper protection. Gatekeeper is a security feature that requires a unique Developer ID from Apple, which developers use to digitally sign and verify their apps. Apple uses this feature to block apps that may have been tampered with, as well as those made by unknown developers. Any downloaded application that isn't signed with a Developer ID is blocked from being installed. The method used to bypass these Apple security measures could be a sign of similar attacks in the future.

Besides being recognized as the first ransomware to affect the OS X platform, this attack is also notable for how it was delivered. KeRanger arrives via a trojanized app, which is uncommon for crypto ransomware that usually infects target systems through malicious links.

Once it's in a victim's system, it works like a typical crypto ransomware. According to the analysis, KeRanger waits for three days after infection before connecting to a command & control server over the Tor network, then encrypts certain document and file types on the victim's system. Once done, KeRanger then shows the ransom note, demanding 1 bitcoin2 to decrypt the locked files.

[More: How ransomware works | Why crypto-ransomware is so effective]

Following the three-day wait time after installing the compromised app that was served between March 4-5, the first encryption cases for those who have been infected (and did not delete the malicious files) are expected to come out on March 7th or 8th.

The alert message on has also been updated on March 6th, advising all users to update to Transmission 2.92. While version 2.91 was clean, it didn't remove the malicious files. Version 2.92 removes the said files from infected systems.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.