Apple shuts down KeRanger ransomware

KeRanger was found in the installers downloaded from Transmission's website

KeRanger was found in the installers downloaded from Transmission's website

Yesterday, we told you about the first, fully-functional ransomware targeting Macs. The ransomware, known as KeRanger, was placed into two installers for Transmission, an open source BitTorrent client. Once infected, the malware would encrypt a user's files and demand a ransom of one bitcoin (currently worth about $400) to release the files. Fortunately, Apple has shut down KeRanger.

Since the application was signed with a valid Mac app development certificate, it was easily able to bypass Apple's Gatekeeper protection mechanism. Apple first heard about the situation on March 4, and this weekend (according to Palo Alto Networks) revoked the certificate and updated its antivirus signature.

Every Mac has built-in anti-malware software called XProtect that's part of File Quarantine. It's been part of OS X since 10.6 Snow Leopard, and it works with "file quarantine-aware" apps like Safari, Chrome, Mail and Messages to normally warn you that you're about to launch an application downloaded from the Internet. 

If File Quarantine sees that the app you're trying to launch is included in the XProtect malware definitions, you get a much more severe warning telling you exactly what malware is about to ruin your day. 

The good news? The malware definition updates show up regularly by default so you're probably protected already. The bad news? There's some concern on the part of Palo Alto Networks that the attackers are trying to figure out a way that KeRanger can be used to encrypt users' Time Machine backups as well so that they can't recover their files using Apple's default backup app.

Stay safe out there!