Cryptovirus alarm for the first time on OS X: Here is how to defend against KeRanger

The version 2.90 of the app Transmission (BitTorrent client), for OS X becomes a vehicle for spreading ransomware ” KeRanger ” a cryptovirus which makes hard disk inaccessible, demanding the payment of a ransom to regain possession of the data. First known case of cryptovirus for Mac OS X.

The phenomenon of cryptovirus reaches, for the first time, even the Apple OS X platform and does so using version 2.90 of the Transmission, a recently published BitTorrent client used the ransomware ” KeRanger ” to convey. The first reports about it have spread over the weekend did not fail to create a great eco media, this is the first cryptovirus known widely for the operating system OS X.

The operating principle of ” KeRanger ” is essentially that of cryptovirus: malicious software – installed by applying infected – provides to encrypt the user’s hard drive three days after installation and asks user payment of about $400 in bitcoin to return the possession of their data.

The case of the spread of the first cryptovirus OS X, fortunately was promptly addressed by both the Transmission developers, both by security experts of Palo Alto Networks, and, most recently, from the house of Cupertino. The former have released the version 2.91 of Transmission that actively removes the malware files ” KeRanger ” by Mac infected, while the latter have explained the procedure to protect that is reported for completeness. Specifically, according to a report in Palo Alto Networks: Who Transmission downloaded from the official website after 11:00 am PST 4 March (at 8:00 pm in Italy) and before 7:00 pm PST of 5 March, it may be infected KeRanger. In this case it is advisable to follow the above procedure:

  • Start the finder or the terminal and check if there are files: /Applications/Transmission.app/Contents/Resources/General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf.
  • If either of the two versions of the file, then the Transmission version is infected and you should uninstall it.
  • Start ” Activity Monitor ” preinstalled in OS X and see if the ” kernel_service ” process is running. If it is active, control the process (cmd s), select ” Doors and open file ” and see if there is a file named ” /Users//Library/kernel_service “. If present, it is the main process of KeRanger. And advisable to terminate it, forcing the output.
  • You then have to check if the ~/Library directory exist files ” .kernel_pid ” , ” .kernel_time ” , ” .kernel_complete ” or ” kernel_service. If any, should be removed.

Apple also intervened quickly to stem from the spread of ” KeRanger “, first revoking the installation certificate of the infected version of Transmission, second updating Xprotect, the native security system for OS X. If you try to install the infected version of the application, a dialog box will report the risks arising from the installation.

The emergency Cryptovirus, more immediately, is dammed, but the signal remains worrying particularly in the light of the analysis carried out by Palo Alto Networks highlighting further possible forms of attack carried out through KeRanger, still in development. Security experts, for example, refer to the intervention of cryptovirus on Time Machine backup files, making it impossible to recover from the user without paying a ” ransom. ” Please note that this form of attack does not have at the time specific alerts. Hard times also on OS X then, also exposed to the latest and most harmful forms of cyber attack.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More