It finally happened. Ransomware has officially made its first appearance on OSX. Anyone who downloaded version 2.90 of the “Transmission” App (which is a legitimate Bittorrent app available in the Apple Store) on or around March 4 should delete it immediately and install the clean 2.92 version.
If you’re not familiar with the term, ransomware is a very specific type of malware. Once it runs, it encrypts some or all of the files on your computer, making your data irretrievable. There are only two good ways around the problem. Either restore from backup, or pay the demanded ransom to the hackers, who will supposedly unlock the files for you once they lighten your wallet.
Given that “Transmission” is a legitimate app with a valid certificate from Apple, no one is quite sure how the ransomware made its way into the code, but the issue is being investigated. For its part, Apple has revoked the certificate that allowed the malware to install, so if you try to start the infected App, you’ll get a warning saying that it should not be opened as it will damage your system. That should prevent the great majority of the potential damage, but of course, all bets are off if you ignore the warning and run the app anyway.
If you’d like to make doubly sure that it is completely gone from your system, use Finder to look for either of the following:
“/Applications/Transmission.app/Contents/Resources/ General.rtf” or “/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf”
If found, delete these files. Then, under your Activity monitor, check to see if there’s a process called “kernel_service” running. If there is, select “Open Files and Ports” and check for a file name like this: “/Users/
/Library/kernel_service”. If found, terminate this process with Quit – Force Quit, and you should be covered. While this is the first appearance of ransomware on OSX, you can bet it will not be the last. If the hackers have finally managed to find their way past Apple’s vaunted security once, it’s a sure bet they’ll do it again.