Notorious Ransomware KeRanger Infects OS X; Effects To Start Surfacing Tomorrow

Ramish Zafar

As technology and gadgets become an increasing part of our lives, users continue to cede over control to devices and software. Apple, known for its closed systems, has always in particular provided security as one of the primary reasons behind its unorthodox ways; a fact that's become even more pervasive over the course of the company's legal tussle against the FBI. So when news surfaces of the Cupertino tech giant's operating systems being breached, it causes more of an uproar as compared to others.


First Fully Functional OS X Ransomware Detected Through BitTorrent Client

When it comes to Ransomwares, KeRanger has proved itself to be quite notorious. Its managed to extract thousands of dollars through ransoms from various institutions will now also be able to lock down machines running Apple's OS X. It's the first time any Ransomware capable of doing so has been detected, according to folks over at Palo Alto networks, and the software could start encrypting machines from tomorrow morning.

KeRanger was detected on Transmission 2.90, a bit torrent client for OS X users. Since it had been signed through a valid Mac app development certificate, it managed to bypass Apple's Gatekeeper Protection and install itself on machines. Even though the 2.90 update has since been removed and replaced with 2.91 on Transmission's website, the ransomware starts its encryption three days after installation.

Another interesting fact is that, according to sources, users who updated their torrent client over the air have managed to stay in the clear, with the only users who have been affected being those who downloaded the updated directly from Transmission's servers.


Once the ransomware starts encryption, it starts to communicate with C2 servers over the Tor network and after encryption, demands 1 bitcoin in Ransom from the affected user. Another interesting fact is that the software isn't in its final version as of now, but is still under development. Some additions that we might see in the future include the ability to encrypt backup files as well, making things even more complicated.

As far as Apple's reaction goes, a company representative speaking to Reuters claims that Apple has revoked the faulty developer certificate behind the breach and has also updated its XProtect antivirus signature. So if you've visited Transmission recently and are an OS X users, head over to the link at the bottom to find out if your machine has been compromised. Thoughts? Let us know what you think in the comments section and stay tuned for the latest.

Sourse: (1) (2) (3)

Share this story

Deal of the Day