So far, Apple users have always been able to sit back and take a deep breath when they read reports about Trojans on Windows computers. Now, however, a new “ransomware” malware that specializes in OS X users is striking. The Mac Trojan's name is “OSX.KeyRanger.A”.
In many media it is mistaken by the first Ransomware reported for the Mac, but there was previously a ransomware malware called "FileCoder" that was also programmed for the Mac running OS X. However, this viral malware was not distributed because it was not fully programmed (see Securelist report).
Chapter in this post:
KeyRanger comes with BitTorrent software “Transmission”
The Mac is obviously infected by the software”Transmission” (Link to the homepage of the software – clickable, not dangerous!), which is used as a BitTorrent client for the Mac and runs under OS X. Older versions of the software appear to be affected. If you are using it, you should urgently download the current version 2.92 of Transmission, because there is a patch installed that actively searches the Mac for the malware and removes it.
If you want to see for yourself whether your Mac is infected, you can use the “Activity indicator” search for a process “kernel_service”. When you find it, click on the process and then click the "i" button in the bar above the processes. Then a window opens in which you select the “Open Files and Ports” tab.
If you find a file name like “Users/…/Library/kernel_service” in the list, then you have found the main KeyRanger process. One should close the process with the button “Exit” and then “Exit Immediately” and immediately load the new Transmission version.
Then you should check whether files like “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” exist in the “~/Library” folder. If so, also delete these files immediately.
What does the OS X Trojan do to the Mac?
The term “ransomware” describes malware that blackmails users of infected devices. In this case, KeyRanger ransomware encrypts Mac's hard drive about three days after installing "Transmission" and then extorts payment. It is recommended not to make this payment under any circumstances as it is uncertain whether you will even receive a decryption password from the extortionists.
Unfortunately, there is no way to decrypt the data afterwards, so it is best to use a backup and restore your Mac. You can see once again how important a functioning backup is - even on a Mac.
If you want to read more about what the malware is doing under OS X, you will find one here detailed report on paloaltonetworks.com.
Apple has reacted: OS X protects against new infections
Apple has apparently already reacted and is preventing the disk image from opening if users still want to install the software (accidentally). The error message looks like this.
Jens has been running the blog since 2012. He acts as Sir Apfelot for his readers and helps them with technical problems. In his spare time he rides electric unicycles, takes photos (preferably with the iPhone, of course), climbs around in the Hessian mountains or hikes with the family. His articles deal with Apple products, news from the world of drones or solutions to current bugs.