Macs are often considered "safe" from a Malware and Ransomware perspective. While it is true that the amount of Malware and Ransomware on Windows is significantly higher than that on Mac and Linux systems, Mac and Linux systems are far from safe. For iSheriff customers, this is why iSheriff Cloud for Endpoint includes versions for Mac and Linux. As if to shine a bright light on this fact Ransomware has crossed from being a threat predominately to Windows systems to encrypting and grifting from those that own Mac systems as well.
This new Mac Ransomware variant is dubbed "KeRanger" and iSheriff Labs started to see hints of its existence late last week, and received full confirmation over the weekend. We don’t yet know who is behind KeRanger but we do know a bit about it’s origins. Thus far all known infections can be traced to a compromised installer for BitTorrent client Transmission. The installer from Transmission’s site as well as other mirrors was signed by an Apple certificate but it was not the certificate of the developers of Transmission.
Once installed KeRanger remains dormant for a short period before it begins encrypting files. Even online backups performed through Apple’s Time Machine were included in the encryption, stopping users from restoring to last known good back-ups. Once the encryption was complete a BitCoin, about $412.20, is demanded as payment for return of the files.
All products in the iSheriff Complete Platform will protect against KeRanger. We provide protection on the web,email and endpoint attack surfaces, which effectively eliminates a place for KeRanger to take hold. However if you are concerned that your system may be infected there are a few things you can check:
- First, check if the following files are present in `/Library: .kernel_pid, .kernel_time, .kernel_service, or kernel_complete. If they exist, delete them.
- Next, check for the presence of /Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf or /Applications/Transmission.app/Contents/Resources/General.rtf. If present delete the entire Transmission application.
- Lastly, check whether kernel_service is running via Activity Monitor. Verify via Open Files and Ports if there is a file name of /Users/Library/kernel_service. If affirmed Force Quit the process and delete the file.