OS X Ransomware
March 6, 2016 3:32 PM   Subscribe

First OS X ransomware detected in the wild, will maliciously encrypt hard drives on infected Macs.

"OS X users have today been hit with the first known case of Mac ‘ransomware’ malware, found in the Transmission BitTorrent client released last week. Infected versions of the app include ‘KeyRanger’ malware that will maliciously encrypt the user’s hard drive after three days of being installed. The malware then asks for payment to allow the user to decrypt the disk and access their data — the ‘ransom’."

It apparently was included in the v2.90 installation app for "Transmission". Users should immediately upgrade to v2.91, which is claimed to be clean.
posted by Chocolate Pickle (73 comments total) 26 users marked this as a favorite
 
wow I was running 2.90 while reading this. No kernel_service process running tho
posted by Heywood Mogroot III at 3:34 PM on March 6, 2016 [1 favorite]


No "General.rtf" in the app package Resources directory, either.
posted by Heywood Mogroot III at 3:40 PM on March 6, 2016


You should download and install version 2.91 RIGHT NOW!
posted by Chocolate Pickle at 3:40 PM on March 6, 2016 [7 favorites]


Just installing something new isn't going to clean the mess (if any) up. I've got to see what's going on now. Details here:

http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/
posted by Heywood Mogroot III at 3:42 PM on March 6, 2016 [4 favorites]


God, I hate ransomware. We can remove a lot of malware (though official policy is that EVERY infection should be followed by a complete nuke and pave based on the idea that you don't know what else got in) but having to tell people that the ransom is a lie and that their files are irretrievably gone is heartbreaking.
posted by Pope Guilty at 3:43 PM on March 6, 2016 [12 favorites]


So the thing I'm not clear on is how a good backup policy or even time machine affects ransomware - nuke my docs too quick and I'll format and reinstall and roll back to old, not yet encrypted data.
posted by Kyol at 3:47 PM on March 6, 2016 [3 favorites]


We had ransomware turn up on one of the thin clients at work, fortunately it was just a thin client so it had no actual files on it but I was annoyed with the brazenness of it - most viruses are sort of background things, but this popped up messages about about "You should have been more careful you have been hacked hahaha here are some places to buy bitcoin to send to us" as well as seeding .txt, .png, and .bmp versions of that message in basically every folder.

It was Cryptowall IIRC, nasty piece of work.
posted by the uncomplicated soups of my childhood at 3:49 PM on March 6, 2016 [3 favorites]


My guess is the app updater (Sparkle) didn't install the malware, just the 2.90 installer was compromised.
posted by Heywood Mogroot III at 3:49 PM on March 6, 2016 [1 favorite]


If you updated to 2.91, you need to go back and update again to 2.92 to delete any of the vicious files.
posted by ffmike at 3:51 PM on March 6, 2016 [1 favorite]




My guess is the updater (Sparkle) didn't install the malware

How sure are you about that?
posted by indubitable at 3:56 PM on March 6, 2016


I don't have any of the fingerprints of the ransomware. Decided to remove transmission from my system completely.
Don't really trust them to not let ransomware on my computer n the future.
posted by signal at 3:57 PM on March 6, 2016 [4 favorites]


As per indubitable's link, I ran:

find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; -exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v CFBundleShortVersionString

and found 2 apps that were vulnerable to MITM attacks (Bartender and VLC Setup).
posted by signal at 3:59 PM on March 6, 2016


My guess is the app updater (Sparkle) didn't install the malware, just the 2.90 installer was compromised.

That makes sense. I haven't seen any problems.
posted by ChurchHatesTucker at 4:00 PM on March 6, 2016


but having to tell people that the ransom is a lie and that their files are irretrievably gone is heartbreaking

It's my understanding that the ransom is usually not a lie. If you pay promptly, you get your files back.
posted by ryanrs at 4:02 PM on March 6, 2016


Well, with the price of oil at an all-time low, the Russian economy needs its hard currency. Expect ransomware to increase and become more viciously difficult to avoid/remove as Putin gets the FSB's best and brightest onto revenue-generating duties.
posted by acb at 4:02 PM on March 6, 2016


One of the great things about running a Time Machine backup...

"Oh you encrypted my files? How cute!" *click* *click* "Oh look they're back!"
posted by Talez at 4:03 PM on March 6, 2016


Unless the ransomware also encrypts the Time Machine backup file.
posted by Chocolate Pickle at 4:04 PM on March 6, 2016 [13 favorites]


> about running a Time Machine backup...

if they can get into /Volumes, they can get that too.
posted by Heywood Mogroot III at 4:06 PM on March 6, 2016 [6 favorites]


Most of these questions are answered in the Palo Alto Networks link that Haywood Mogroot III posted.

Among other things: The hijacked 2.90 was signed with a different key than previous Transmission releases. Apple has revoked that key: If you try running the hijacked version, you'll be notified. There are fragments in the malware code that indicate an attempt to also encrypt Time Machine backups. And other stuff. It's important to read, even if you have to gloss over the code pastes and other parts of the article that might be over your head, because it's a good, clear explanation of what went down.

The Transmission 2.91 release (which does not have the malware) was immediately followed by Transmission 2.92. The Transmission Project team recommends 2.92 because it will remove the malware-infected files, and 2.91 will not. More info on Transmission's homepage.
posted by ardgedee at 4:08 PM on March 6, 2016


Regarding in-app updates: I just checked my media box, and it had spat back the 2.9 update I triggered last Friday as improperly signed. So that's a relief.
posted by not the fingers, not the fingers at 4:09 PM on March 6, 2016


if they can get into /Volumes, they can get that too.

They're not mounted as typical volumes. You need to use hdiutil to even mount them which requires sudo.
posted by Talez at 4:10 PM on March 6, 2016 [4 favorites]


Yeah, the people who were infected were the ones who saw that improper signature, so went to the transmission web site and downloaded the bad release manually.
posted by ryanrs at 4:11 PM on March 6, 2016


If you updated to 2.90 through the Sparkle updater, it looks like you're in the clear. There was an infected binary on the Transmission website which is what caused this. How it got there is another mystery...
posted by SansPoint at 4:11 PM on March 6, 2016 [2 favorites]


Talez, if you manually mount your time capsule disk, or use a USB disk, then the time machine files are writable by the user account. The ransomware does not need to mount the images, just encrypt the image files.
posted by ryanrs at 4:13 PM on March 6, 2016 [3 favorites]


Yeah I updated on Friday (of course) but it was through the update prompt in Transmission so I hope I'm good. Can't find any of those files or processes running in Terminal. Damn. Not sure if I want to re-install now.
posted by chococat at 4:13 PM on March 6, 2016


And since time machine is so prevalent on Macs, you should expect ransomware to specifically target it. If not this version, then the next one that shows up.
posted by ryanrs at 4:14 PM on March 6, 2016 [3 favorites]


One of the great things about running a Time Machine backup...

"Oh you encrypted my files? How cute!" *click* *click* "Oh look they're back!"


Time Machine is an online backup method, I wouldn't get too smug.
posted by indubitable at 4:15 PM on March 6, 2016 [1 favorite]


Important lesson. Don't just grab the newest version unless there's a specific reasons, and if there is, test it.

Yes, there's the suck place of "root exploit in the wild, patch now," which is why you look for a workaround first.

The leading edge is the bleeding edge.
posted by eriko at 4:16 PM on March 6, 2016 [2 favorites]


Talez, if you manually mount your time capsule disk, or use a USB disk, then the time machine files are writable by the user account. The ransomware does not need to mount the images, just encrypt the image files.

Oh yeah. I use Time Capsule which is totally inaccessible unless I deliberately try to screw things up. And my NAS has snapshots so I can pull all my data partitions back. But then again I haven't used Transmission in a few months.
posted by Talez at 4:17 PM on March 6, 2016


Important lesson. Don't just grab the newest version unless there's a specific reasons, and if there is, test it.

Also, make sure to always run the latest version of any program, as it's important to stay abreast of security updates.
posted by indubitable at 4:18 PM on March 6, 2016 [49 favorites]


Ugh. More reasons to use app sand boxing and privilege limits. For all the other App Store problems, at least it helps with things like this.
posted by strange chain at 4:18 PM on March 6, 2016 [1 favorite]


Don't worry about it. I know this Spetznaz guy name Sokolov.
posted by Cool Papa Bell at 4:19 PM on March 6, 2016 [11 favorites]


Jinkies, glad I saw this! I use Transmission, but I'd skipped updates so I was still on 2.84. Just jumped to 2.92 to hopefully avoid this.
posted by dnash at 4:19 PM on March 6, 2016


Yeah, encrypting everything remote under /Volumes would suck, but mostly because my zpool would run out of space and I'd have to figure out how to roll back to an unencrypted snapshot on a 0k free volume.. Hrm.

Do any of the major online backup providers offer versioning? I'd hate to say "use service x" only to have service X end up more than happy to replace all your valid backups with newly encrypted ones.
posted by Kyol at 4:20 PM on March 6, 2016 [1 favorite]


Probably a good idea to run crap like free BitTorrent warez in a VM until Apple et al can get their act together wrt sandboxing.
posted by indubitable at 4:22 PM on March 6, 2016 [1 favorite]


Do any of the major online backup providers offer versioning?

Tarsnap. You can even make it append-only by separating the read and delete keys and storing them offline.
posted by indubitable at 4:24 PM on March 6, 2016


> Do any of the major online backup providers offer versioning?

CrashPlan
posted by ardgedee at 4:27 PM on March 6, 2016 [7 favorites]


One of the great things about running a Time Machine backup...

"Oh you encrypted my files? How cute!" *click* *click* "Oh look they're back!"


Yeah, I've gotten in the habit of having two kinds of files on my machine: "software I can easily reinstall" and "shit that's also in Google Drive". This both makes ransomware moot, and comes in handy if and when something goes wrong with your hard drive.
posted by Itaxpica at 4:30 PM on March 6, 2016 [1 favorite]


Transmission 2.90 was released on February 28. Per Palo Alto Networks, the malware-infected version was released with a different signature on March 4. If you had upgraded to Transmission 2.90 before March 4, you might have an uninfected copy. Upgrade to 2.92 anyway, of course...
posted by ardgedee at 4:31 PM on March 6, 2016 [2 favorites]


So I had 2.84, then updated with the in-app updater to 2.90, then just now updated to 2.92 by downloading from the website and replacing the .app file in the Applications folder. (Macs aren't my strong point.) I should be okay right?
posted by clorox at 4:53 PM on March 6, 2016


Don't really trust [Transmission] to not let ransomware on my computer n the future.

Unlike some other torrent apps that have intentionally included malware, Transmission has been clean, lean, and responsive. Kudos to them on catching it, and kudos to OS X using signed certificates that should have been a clear flag to anyone upgrading.
posted by furtive at 4:56 PM on March 6, 2016 [7 favorites]


I was saved by laziness, still have version 2.84 installed. Sticking with that for now, also installing MBAM for Mac and Avira
posted by fleetmouse at 5:24 PM on March 6, 2016 [1 favorite]


Probably a good idea to run crap like free BitTorrent warez in a VM until Apple et al can get their act together wrt sandboxing.

What's hilarious is how much shit everyone gives Apple for doing sandboxing in the first place. Damned if you do etc.
posted by a lungful of dragon at 5:44 PM on March 6, 2016 [7 favorites]


I'm not updating (or USING) Transmission again until they explain how it came to be that their official website hosted this ransomware-infected binary.
posted by destructive cactus at 5:51 PM on March 6, 2016 [7 favorites]


From paloaltonetworks.com: Transmission is an open source project. It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred.
posted by furtive at 6:07 PM on March 6, 2016


One Bitcoin to decrypt your hard drive seems pretty cheap. Oh no wait, it's actually kind of expensive. Hang on, now it's cheap again. Whoops, my bad, it's expensive. Haha don't know how I messed that up, it's super cheap. wtf am I going crazy it's expensive as fuck. Except now it's not...
posted by um at 6:08 PM on March 6, 2016 [16 favorites]


I'm with destructive cactus. I am extremely interested on how this got into the Transmission website. While free open source projects are not normally what I think of when someone says "extremely robust enterprise level security," I have long taken for granted that so many OSX open-source institutions like VLC, Transmissions, Sparkle are trustworthy.

But contrariwise, I am impressed how quickly this was picked up. Trusting the reported story, this was spotted and removed within 24 hours of it being placed on the 2.90 installer on March 4. Its conceivable that this will not result in a single file being encrypted (though I know someone probably installed it on March 4 through the website, opened the new app immediately activating the malware, and left their machine on over the weekend while the countdown timer was running, but then went on to not reopen transmission or look at a news site and hence will not see the warnings).

Also, it's kinda nice to see some malware being taken seriously on Macs in a way. It will encourage some more vigilance when it comes to backup and security, or at least will for me... I've been delaying getting a routine for running new apps in VM and a tertiary backup for some time now... assuming time machine and syncing important documents on an external HD was enough. Hopefully this attack also illuminates some of the holes that we always knew were there, but maybe haven't been appreciated as to how vulnerable they actually are.
posted by midmarch snowman at 6:15 PM on March 6, 2016 [1 favorite]


Been through too many hard drive failures & disk corruption from the pre-journaling days. I have solid bootable clones in 3 offline locations.

If something like this hit, I could boot from a clone, nuke & pave and lose maybe a week's worth of pop mail. If there was a house fire, I'd have to go get a drive out of the safety deposit box & I might lose a month's worth of files, but all my current working files are in Dropbox anyway.

I hate that this is happening, but there are ways to recover without having to pay the bastards even if they encrypt every connected disk.
posted by Devils Rancher at 6:16 PM on March 6, 2016 [3 favorites]


Yeah, encrypting everything remote under /Volumes would suck, but mostly because my zpool would run out of space and I'd have to figure out how to roll back to an unencrypted snapshot on a 0k free volume.. Hrm.

Look, if you play the video in slo-mo you can spot the exact moment Horace Rumpole stopped being able to follow the thread.
posted by Horace Rumpole at 6:48 PM on March 6, 2016 [24 favorites]


At first I thought the post was "OSX is ransomware" and I thought it was a bit harsh....but plausible.
posted by srboisvert at 6:51 PM on March 6, 2016 [8 favorites]


Yeah, encrypting everything remote under /Volumes would suck, but mostly because my zpool would run out of space and I'd have to figure out how to roll back to an unencrypted snapshot on a 0k free volume.. Hrm.

Sounds like an excuse to buy some more drives and grow your pool...
posted by strange chain at 6:57 PM on March 6, 2016 [1 favorite]


It's my understanding that the ransom is usually not a lie. If you pay promptly, you get your files back.

According to a study by Verizon, people get their files back after paying only about 25% of the time. The rest of the time there is a technical issue with the decryption (no tech support when you deal with criminals), they just abscond with your money, or they are not reachable because they've already gone out of "business".
posted by mmoncur at 7:04 PM on March 6, 2016 [5 favorites]


What files do you store locally? I mean, I stream all my music & movies, work only with online documents, submit my code to a git repository, submit my expense reports and taxes online, auto-upload all photos to the cloud. I find I seldom use the local file system at all.
posted by Triplanetary at 8:04 PM on March 6, 2016


That sounds like either an extremely expensive lifestyle or one in which you've accepted rather a lot of compromises.
posted by Pope Guilty at 8:53 PM on March 6, 2016 [14 favorites]


I'm pretty much the same as Triplanetary and it's not exactly expensive. ($10/mo. for music, $10/mo. for movies & TV, $50-70/yr for taxes, everything else is free.) Compromises, maybe, but it's a pretty smooth and convenient workflow for 95% of tasks.
posted by stoneandstar at 9:52 PM on March 6, 2016 [3 favorites]


What files do you store locally?

All of them.
posted by bongo_x at 10:31 PM on March 6, 2016 [7 favorites]


it would be nice to say that Mac users could simply depend on brew, or fink, or ports - or that Apple should somehow provide some kind of meta-repo.

but it's not a stretch if attackers managed to get a foothold situation on a website, that it could be possible for them to gain enough further information to poison the repository as well.

I use transmission-daemon on a bizarre sort of headless lunix media server, and luckily that was not affected, but it easily could have been. additionally, that machine uses the proprietary PLEX, whose forum site was compromised last year - they claim it was only the forums and no binaries were affected, but who knows.

and then there was a semi-recent incident I only read about over the weekend, and there is a lot of controversy and prevarication about the actual truth and timespan - the linux Mint wordpress site was hacked and install-binaries were replaced by the attackers, with the replacements containing a backdoor server. the developers claim it did not affect their repos or the torrent version of the latest download, only the direct download. but, again, foothold situation.

and the head Mint developer posted comments with correct/safe md5sums for the ISO images. if that can be believed. but I only recently installed that version on a new-to-me thinkpad at work, and while the .iso I used matches the supposedly-good md5sum, it still scares the everloving hell out of me. and I plan to do a complete wipe on that laptop today (luckily I closed the lid on Friday and it's been asleep the entire weekend.)

so, yeah, it always gets weirder.
posted by dorian at 2:32 AM on March 7, 2016 [1 favorite]


This might not work for everyone, but I'm having success so far using Syncthing (something closed-source like Bittorrent Sync might work too, but that gives me a little bit of the willies) to keep files organized into work/personal/etc silos and synchronized on multiple computers. It's a little finicky to set up but it lets you configure versioning options per-share, so if something does encrypt your share you'll have backups there too.

And Time Machine supports multiple backup drives, so you can swap in offline backup from time to time, which I do routinely... uh, yeah, routinely [clicks away "No Backups for 110 Days" prompt]
posted by RobotVoodooPower at 6:23 AM on March 7, 2016


The malware itself, KeRanger, was signed by a valid developer key. That means Apple's Gatekeeper technology failed to protect users from the malware. The key has since been revoked, so now the protection works, but it's too late if you were already infected.
posted by Nelson at 7:07 AM on March 7, 2016 [2 favorites]


So, am I understanding from comments here that Time Machine alone might not have saved me from this if I'd gotten it? But possibly something like CrashPlan could have? I've been meaning to get something like CrashPlan after living through a couple external hard drive deaths in the past. If a cloud backup like that would also be protection against ransomware that might be the kick in the pants I need to finally get it.
posted by dnash at 8:00 AM on March 7, 2016


So, am I understanding from comments here that Time Machine alone might not have saved me from this if I'd gotten it? But possibly something like CrashPlan could have?

Yes. Anti-malware software alone isn't going to do it (and Gatekeeper/X-Protect is some of the best in the industry), and up-to-date backups aren't going to do it - versioned offline backups will make you nigh-invulnerable to this particular breed of nasty. For now. Backblaze, for instance, only keeps versioning for the past 30 days, newer malware could wait two months before firing off.
posted by Slap*Happy at 10:15 AM on March 7, 2016


Dropbox will give 30 days of versioning by default but offers a year for people who pay extra. I'm grandfathered into unlimited versioning.

That's what I do with any work or personal files I care about. Everything gets saved locally and gets synced to Dropbox. A malware-induced nuke and pave would make me cry (at all the wasted time reinstalling everything) but it wouldn't be a serious problem in terms of irreplaceable data.
posted by honestcoyote at 10:48 AM on March 7, 2016


So, am I understanding from comments here that Time Machine alone might not have saved me from this if I'd gotten it?

It doesn't even have to be malicious, as Apple proved a few years back with an iTunes installer. All it takes is an errant /* in the cleanup code somewhere and all your shit is gone. My main time machine drive is hooked up, but rarely turned on. I'll turn it on whenever I've added any significant files, and as soon as it's done running, I eject it & turn it off.
posted by Devils Rancher at 11:05 AM on March 7, 2016 [1 favorite]


That means Apple's Gatekeeper technology failed to protect users from the malware.

There is no way to ensure that any software is safe, signed or not. Here is a classic piece by Unix developer and Turing Award-winner Ken Thompson that explains why. That said, Gatekeeper did what it was supposed to do, which is help protect most users once the malware was found, by trying to block unsigned code.
posted by a lungful of dragon at 11:18 AM on March 7, 2016 [2 favorites]


Gatekeeper provides some benefit but it also has a cost. It's significantly harder for legitimate developers to distribute software that runs on MacOS, because it requires a code signature to run without a warning. It makes it particularly difficult if you want to use development tools other than Xcode. I regularly download cross-platform open source tools that are unsigned, not to mention cross-platform games.

The benefit is Gatekeeper should offer some protection from malware. But Gatekeeper failed to provide any protection for several days, for the entirely predictable reason that trusted private developer keys can be compromised and it takes days to react. I'm not sure the outcome we've seen here is significantly better than just distributing a hash fingerprint of known malware a la virus checkers.
posted by Nelson at 11:35 AM on March 7, 2016 [1 favorite]


Users can manually disable Gatekeeper in System Preferences, if it is a genuine concern. Otherwise, legitimate developers (like myself) have used Homebrew, for example, to distribute code that is verified by signatures generated by Github, not Apple. No one really complains about Github being the arbiter of how Homebrew recipes manage source code verification (at least, no one who would be taken seriously).

It still seems reasonable to point out that Gatekeeper worked as advertised: the malware was discovered, the certificate was revoked, the software ultimately blocked. A small number of users having the vulnerability for a small period of time seems a rationally better situation than what came before OS X 10.7, which was no protection, at all.

Code signing and sandboxing are generally good things for most people, and are entirely opt-out for people who are comfortable with the associated risks.
posted by a lungful of dragon at 12:05 PM on March 7, 2016 [2 favorites]


Wonder if this will cause changes in the Time Machine implementation. It seems like they should be able to mark completed backups as read-only at the file system level.
posted by strange chain at 12:11 PM on March 7, 2016 [1 favorite]


It will be interesting to see if that problem can be solved. Time Machine does incremental backups and stores them as "bands" in a sparse bundle, so at some point it seems that container needs to be in a writable (and potentially corruptible) state.
posted by a lungful of dragon at 12:17 PM on March 7, 2016


It will be interesting to see if that problem can be solved. Time Machine does incremental backups and stores them as "bands" in a sparse bundle, so at some point it seems that container needs to be in a writable (and potentially corruptible) state.

Yeah, if they tackle this, I'm curious to see if they can bolt this on to the existing stuff or if this becomes a FileVault thing where v2 is a total (and incompatible) rethinking of things. Given their actions in other areas like SIP, it seems like they take this stuff at least semi-seriously and might be something they want to address.
posted by strange chain at 1:23 PM on March 7, 2016


In case anyone's still tracking this thread: if Transmission makes me nervous now, what are the alternatives?
posted by curious nu at 4:06 PM on March 25, 2016


I'm sticking with Transmission. If I had to switch, I'd probably go qBitTorrent. Deluge is worth a look. It is an excellent client that was a bit of a PITA to install on Macs, but I hear it's gotten better.
posted by ChurchHatesTucker at 4:22 PM on March 25, 2016 [1 favorite]


Since I migrated back to Windows I like to use Tixati -- it's available for Windows and Linux. On Mac OS X I stuck with Transmission IIRC, though like the poster above said, qBittorrent and Deluge are options there.

Personally I avoid uTorrent. I liked Halite (Windows-only) but I was already using Tixati then.

You can go here if you want more suggestions though.
posted by aroweofshale at 4:44 PM on March 25, 2016


« Older Black hole paint   |   may God bless the children of Israel and the... Newer »


This thread has been archived and is closed to new comments