Since yesterday , Apple Mac users have been hit by a fully functional seen ransomware called KeRanger . KeRanger spread through an infected version of the Transmission BitTorrent client for Mac . Ransomware , one of the fastest growing types of cyber threats , encrypts data on infected machines . Ransomware then asks victims to pay ransom Bitcoins to get an electronic key so that they can decrypt encrypted data . PC run Windows have been targeted by authors usually ransomware , but this is the first time that the system aims ransomware closed Apple OS X operating system. Palo Alto Threat Intelligence Director Ryan Olson said that ” KeRanger ” malware , which appeared on Friday , was the first operation ransomware attack Apple Mac computers .
Hackers infected Macs through a tainted copy of a popular program known as Transmission , which is used to transfer data through the peer -to – peer file sharing network BitTorrent , Palo Alto said in a blog posted on Sunday afternoon . When users download version 2.90 of the Transmission , which was released on Friday , some Macs infected with ransomware . While Apple said it revoked the certificate that allowed KeRanger install on Macs , you would find out if they are infected with ransomware to follow the process below .
Scanning and removing KeRanger ransomware from your Mac
- Step 1: Search your drive for the following files (you can use the Terminal or the Finder app): /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf.
If any of these two shows up in your search results, it means that you installed an infected version of the Transmission client, and you should delete this version of Transmission as soon as possible.
- Step 2: Use the OS X Activity Monitor to check if you have a process running called “kernel_service.” If you do, don’t panic, there might be other apps that could start this process as well.
To make sure, double-click the process and choose the “Open Files and Ports” tab in the window that appears. If there’s a file named “/Users//Library/kernel_service”, like in the picture below, then KeRanger is active and running on your system. Users should select “Quit -> Force Quit” to stop the process.
- Step 3: Users should also check the ~/Library directory for the following files (and delete them): .kernel_pid, .kernel_time, .kernel_complete or kernel_service.
The process in the works if catch KeRanger before it works. Once it did himself, the ransomware encrypt all your files with a strong encryption algorithm. This algorithm is not cracked. The only way to erase your hardrive and restore backup from iCloud. If you have backups, then now is your only option is to pay ransomware fee. An Apple representative said the company steps over the weekend to prevent further infections by cutting a digital certificate certificate used to bypass gatekeepers, and by adding signature ransomware XProtect, Mac built-in anti-malware Toolkit. representative declined to provide other details.
Transmission also took the malicious version of its software from its website. On Sunday it released a version of the website said automatically removes the ransomware from infected Macs. website advised Transmission allows users to immediately install the new update, version 2,92, if they suspect they may be infected.
Palo Alto said in his blog that KeRanger programmed to remain silent for three days after infecting a computer, then connect to the server and start encrypting files so they can not be obtained. After the encryption is finished, KeRanger demanding a ransom of 1 bitcoin, or about $ 400, the blog said. Olson, the Palo Alto threat intelligence director, said that the victims whose compromised machines but not cleaned could begin losing access to data on Monday, which is three days after the virus load of Transmission site.