: First OS X ransomware detected in the wild, will maliciously encrypt hard drives.....


rgray
Mar 6th, 2016, 05:30 PM
First OS X ransomware detected in the wild, will maliciously encrypt hard drives on infected Macs (http://9to5mac.com/2016/03/06/first-os-x-ransomware-detected-in-the-wild-will-maliciously-encrypt-hard-drives-on-infected-macs/)
OS X users have*today been hit with the first known case of Mac ‘ransomware’*malware, found in the*Transmission BitTorrent client released last week. Infected versions of the app*include ‘KeyRanger’ malware that will maliciously encrypt the user’s hard drive after three days of being installed. The*malware then asks for payment to allow the user to decrypt the disk and access their data — the ‘ransom’.

As reported by Palo Alto Networks, Apple has already taken steps to curb the spread of the malware through its Gatekeeper security system. This means*the infected version of Transmission will no longer install, but it does not*help those who have already been affected. Transmission is urgently recommending people upgrade to the latest version of its software, 2.91.
Unlike ‘friendly’ system encryption services, it is becoming increasingly common on Windows for viruses and malware to maliciously encrypt user data.*The aim is for the virus maker to raise money by*holding the user data ransom until payment is provided,*in exchange*for the malware to decrypt the drive once again.
The KeyRanger malware currently circulating is the first known instance of ransomware targeted at*OS X users. It is not recommended to actually pay the malware as it*only encourages further*malicious action and there is no guarantee the virus maker will actually do the decryption as promised.
Users worried about being impacted by the*ransomware should look for the ‘kernel_service’ process in Activity Monitor. This process is named like a kernel system program as a disguise, but it is actually the KeyRanger malware. If you are impacted, the recommendation is to restore to an earlier backup of your*system before you installed Transmission. This is the best way to ensure the virus has been completely removed from the system.
It’s worth noting that the malware has only been detected in the Transmission app to date.*It is unknown if it is more widespread, affecting other common apps.
Palo Alto Networks*suggests a few other methods to check for the presence of the malware. Their post also includes a lot more detail on the technical implementation of the virus, so check out their post for*more information. The security researchers suggest*checking for the existence of the file ‘/Applications/Transmission.app/Contents/Resources/General.rtf’ or ‘/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf’. If*this file exists, the Transmission app is likely infected. You can also check for the existence of*“.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” files in the ~/Library directory. Delete the files if they exist.

macintosh doctor
Mar 6th, 2016, 08:44 PM
wait I am to feel sorry for bit torrent users? are you kidding me?
easy fix.. dont bit torrent.

monokitty
Mar 6th, 2016, 08:49 PM
The "ransom" aspect of this threat is irrelevant if you have a backup and became a victim of this malware. Wipe drive and restore. Problem solved.

As per bit torrent use, there are legitimate uses for it so that's not really an argument.

rgray
Mar 6th, 2016, 10:45 PM
wait I am to feel sorry for bit torrent users? are you kidding me?
easy fix.. dont bit torrent.

I am not suggesting one feel sorry for torrent users, but as noted by monokitty there are some legitimate uses.

I posted the OP more out of general information, because sooner or later this or the like will be hacked into a more general distribution. After all I recently found a stealth MacCleaner (or whatever it is calling itself lately) embedded in a download of Filezilla from the formerly trusted site Source Forge.....

And yes it is easy to get rid of THIS TIME..... The scarier thing is that it is a "proof of concept"...

pm-r
Mar 6th, 2016, 11:35 PM
Unfortunately I also received some very unwanted and unasked-for software extras from the, as you say, "formerly trusted site Source Forge" a month or so ago that started acting like some ransomeware. Very annoying and disappointing.

And no sign or anything saying anything extra was included with the download or install.

IllusionX
Mar 7th, 2016, 07:46 AM
How the malware actually slip into the app?

Sent from my ONE A2005 using Tapatalk

rgray
Mar 7th, 2016, 08:17 AM
Ransomware virus found on Apple devices (From Bournemouth Echo) (http://www.bournemouthecho.co.uk/uk_national_news/14325880.Ransomware_virus_found_on_Apple_devices/?ref=eb)

wonderings
Mar 7th, 2016, 09:24 AM
The "ransom" aspect of this threat is irrelevant if you have a backup and became a victim of this malware. Wipe drive and restore. Problem solved.

As per bit torrent use, there are legitimate uses for it so that's not really an argument.

I read this on cnet
"Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data."

SINC
Mar 7th, 2016, 10:18 AM
I read this on cnet
"Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data."

Yet another reason to do as I do, and keep two bootable clones updated daily, one portable and one on the desktop in addition to Time Machine. I also only use the TM drive once per day and allow it to update, then deactivate it from TM in System Prefs.

yeeeha
Mar 7th, 2016, 10:52 AM
After all I recently found a stealth MacCleaner (or whatever it is calling itself lately) embedded in a download of Filezilla from the formerly trusted site Source Forge.....

Once I downloaded a new version of FileZilla that came with an additional crapware simply clicking on the download button on the FileZilla webpage. Since that experience I make additional clicks to reach the link that clearly shows the full filename of the installer.

On the FileZilla page (https://filezilla-project.org/) there are two download buttons. I click on the button for "All platforms" to get to the SourceForge "Download Now" button (https://filezilla-project.org/download.php?type=client). Below that there is "More download options" with the link to show these additional options. I click on the link to reach a third page (https://filezilla-project.org/download.php?show_all=1) that lists the installer for all platforms. The first client is for OS X, with the installer filename that ends with the file extension ".app.tar.bz2". There is only the FileZilla app compressed in this installer package.

eMacMan
Mar 7th, 2016, 10:55 AM
Yet another reason to do as I do, and keep two bootable clones updated daily, one portable and one on the desktop in addition to Time Machine. I also only use the TM drive once per day and allow it to update, then deactivate it from TM in System Prefs.

Since there is a three day activation delay, a daily clone would be useless.

What is required is a benchmark clone or preferably disk image. One that is created prior to updates. That drive should be boot-able and stored safely in a drawer when not being used for that purpose.

HowEver
Mar 7th, 2016, 06:22 PM
John Clay is a member here so I'm sure we'll be hearing more accurate information when he has a chance.

chas_m
Mar 8th, 2016, 06:22 PM
Since it hasn't been noted here, Apple updated XProtect to block this almost immediately after it was reported. Presuming your system is reasonably up-to-date, there should be zero chance of you actually facing any threat from this, and of course perhaps a lesson learned about downloading software from insecure sources. The Transmission people, as I understand it, are only partly responsible; they didn't put this malware in there, it was a altered disk image from someone who hacked their server. As said above, John Clay can set the record straight when he has a chance.

eMacMan
Mar 8th, 2016, 06:53 PM
Since it hasn't been noted here, Apple updated XProtect to block this almost immediately after it was reported. Presuming your system is reasonably up-to-date, there should be zero chance of you actually facing any threat from this, and of course perhaps a lesson learned about downloading software from insecure sources. The Transmission people, as I understand it, are only partly responsible; they didn't put this malware in there, it was a altered disk image from someone who hacked their server. As said above, John Clay can set the record straight when he has a chance.

True if you can afford the hardware/software to run the latest and greatest versions of OS X.

For various reasons I the old MacPro is pretty much stuck at Snow Leopard for the foreseeable future.

pm-r
Mar 8th, 2016, 08:28 PM
True if you can afford the hardware/software to run the latest and greatest versions of OS X.

For various reasons I the old MacPro is pretty much stuck at Snow Leopard for the foreseeable future.


A bit ironic isn't it that OS X 10.6.x SL was completely immune from any of the included malware infection isn't it as the infected version wouldn't even download with its Transmission software update or run as they had dropped all support for SL.

Just like the previous OS X threat flew right over all SL users and completely untouched once again… and certainly not "the latest and greatest versions of OS X." :o

chas_m
Mar 11th, 2016, 02:20 AM
"If you can afford the hardware/software to run the latest and greatest versions of OS X"

Um, if you can't afford to run Macs that were made six to nine years ago, you have way bigger issues than torrent-program-based ransomware.

And OS X operating system upgrades have been free for a few years now, so not sure what you mean by the "software cost" remark.

If you're referring to keeping your software up to date, that is **part and parcel** of the software. That's like saying you can afford to buy a puppy, but can't afford to feed it. If you can't afford to keep a given software program *reasonably* up to date, you can't afford that software -- and should look for an alternative.

eMacMan
Mar 11th, 2016, 05:49 AM
"If you can afford the hardware/software to run the latest and greatest versions of OS X"

Um, if you can't afford to run Macs that were made six to nine years ago, you have way bigger issues than torrent-program-based ransomware.

And OS X operating system upgrades have been free for a few years now, so not sure what you mean by the "software cost" remark.

If you're referring to keeping your software up to date, that is **part and parcel** of the software. That's like saying you can afford to buy a puppy, but can't afford to feed it. If you can't afford to keep a given software program *reasonably* up to date, you can't afford that software -- and should look for an alternative.

The OS has never been anywhere close to the entire cost of software. Nor is there any reason to presume that ransomware has to be integrated into a torrent client.

rgray
Mar 11th, 2016, 09:04 AM
John Clay is a member here so I'm sure we'll be hearing more accurate information when he has a chance.

And just who is this JC that we need his word for clarification??? :confused: :eek:

SINC
Mar 11th, 2016, 09:10 AM
And just who is this JC that we need his word for clarification??? :confused: :eek:

John Clay developed the Transmission software and is a frequent contributor on the tech side on ehMac.

rgray
Mar 11th, 2016, 09:12 AM
John developed the Transmission software and is a frequent contributor on the tech side on ehMac.
Ah... Indeed a worthy voice. I did not know his credentials. Amazing what one learns here.

CubaMark
Mar 11th, 2016, 11:06 AM
John Clay developed the Transmission software and is a frequent contributor on the tech side on ehMac.

I had no idea of this connection. Kudos, John Clay! :clap: Transmission is my go-to client for torrents. Clean and reliable!

rgray
Mar 11th, 2016, 11:52 AM
. Clean and reliable!

Isn't the current discussion something of a caveat emptor on that concept??? :D

CubaMark
Mar 11th, 2016, 12:45 PM
Isn't the current discussion something of a caveat emptor on that concept??? :D

Heh heh heh – touché! I guess I should have said "in my experience", as I missed out on the infection, though I was running 2.90 for about a week before I saw news of the problem. I haven't seen how it was contaminated... where was the breach?

pm-r
Mar 11th, 2016, 01:24 PM
John Clay developed the Transmission software and is a frequent contributor on the tech side on ehMac.


WOW!! Thanks for the info, I never knew they were one and the same people.

And I've been using the software for how many years now??? I don't know, but it's been a very long time, so thanks John Clay!!

pm-r
Mar 11th, 2016, 01:29 PM
The OS has never been anywhere close to the entire cost of software. Nor is there any reason to presume that ransomware has to be integrated into a torrent client.


And isn't that the scary part and it could possibly have been implanted into almost [B]any Mac software…

SINC
Mar 11th, 2016, 01:53 PM
WOW!! Thanks for the info, I never knew they were one and the same people.

And I've been using the software for how many years now??? I don't know, but it's been a very long time, so thanks John Clay!!

I too have used it for a long time. If my memory serves me right, it began as a different name and was renamed Transmission at some point, at least that is what I seem to recall. Anyone recall?

pm-r
Mar 11th, 2016, 02:22 PM
According to:
https://en.wikipedia.org/wiki/Transmission_(BitTorrent_client)
Initial release 17 September 2005

or
i use this mac os x software: version history for Transmission (http://osx.iusethis.com/app/versions/transmission)
Version 0.5 | Release Date: 2006-02-19

I'd question the latter info but I thought I had used it even earlier, but don't recall it having any other name, but that's possible.