The Office of Technology Services (OTS) is informing the campus about the first known case of ransomware for OS X users, which was detected in the Transmission BitTorrent Client Installer App on March 4, 2016. Ransomware uses malicious software to encrypt user data, holding it “hostage” until the demanded ransom is paid to the attackers in exchange for releasing the data back to the user.
About KeRanger Ransomware
This newly discovered ransomware has been named “KeRanger” by Claud Xiao of Palo Alto Networks’ Research Center. It is the first piece of fully functional Mac OS X ransomware and first Mac OS X malware distributed through a software update from a legitimate developer. Here is what is currently known about KeRanger:
- The infected Transmission app was distributed from the official website that was modified by the ransomware attacker.
- The compromised installer included a file named General.rtf which is actually an executable file rather than the rich-text document that it appears to be.
- Once the app is launched, the file is copied to a file named kernel_service in the user Library folder which is hidden by default on recent versions of OS X. The service will run in the background of your computer and activate after 3 days.
- According to Xiao, if the app remains undetected it will encrypt everything in the /Users folder. In each folder where files have been encrypted, a file named “README_FOR_DECRYPT.txt” is created, containing instructions for how to pay for a decryption key.
Below is a screenshot of the ransom message from an infected machine from Palo Alto Networks:
