The First ‘Ransomware’ Virus for the Mac Is Here — Here’s How to Make Sure You’re Not Infected


There is no Mac-user boast more smug than "Macs don’t get viruses" — and none that’s less true, either. On Sunday, another piece of evidence emerged indicating that malware creators are placing some of their attention on OS X. Security researchers at Palo Alto Networks announced yesterday that Transmission, a popular BitTorrent client, has been infected with ransomware.

Ransomware is an increasingly popular type of malware that holds a computer hostage by encrypting all of its data. Then, owners must pay a ransom (usually in untraceable Bitcoin) to have their computer unlocked again. These attacks usually target individual systems but not always. Last month, a ransomware attack on a hospital cost the facility $17,000.

First things first: If you haven’t downloaded a recent copy of Transmission, you almost certainly don’t have the malware, called KeRanger. Still, if you want to check, the easiest way is to open up Activity Monitor — located in your Utilities folder — and ensure that a process called “kernel_service” is not running (“kernel_task” is an entirely different operation).

Here’s the virus in action:

Precisely how KeRanger got into Transmission is unclear, though the leading theory is that the program’s official website was compromised, and the regular download copy was switched out for an infected version. Transmission is an open-source project, so its source code is publicly accessible and manipulable — Transmission’s status as leading BitTorrent (read: piracy) software is not directly related to this attack. (One might intuit, however, that people who pirate media and software might be less concerned with their computer’s security, making them more susceptible to malware intrusions.)

The source was authenticated with a valid Mac development certificate, so OS X’s Gatekeeper security feature did not throw up any red flags. The certificate has since been revoked by Apple, so the infected software can’t be installed. The most recent version released over the weekend is malware-free.

That said, if you’re running Transmission, it’s worth checking to see what version. Version 2.90 is the infected version, while the most recent, 2.92, is clear (2.91 was not infected but did not automatically remove the file containing the malware).

If you feel like doing a more in-depth security audit, you can check and make sure the malware file, General.rtf, is no longer in Transmission by right-clicking the app and choosing “show package contents.” Then drill down from "Contents" to "Resources" and ensure the file is absent.

An infected copy will contain the file, but a clean one will not.

The Mac Gets Its First Piece of Ransomware