Palo Alto Networks recently discovered ransomware hidden inside of the torrenting app ‘Transmission’. While this may come as a shock to those that still believe the Mac is a fortress that can’t be broken, the rest of us are not shocked at all. In fact, a few months back I wrote a blog warning Mac users not to dismiss Mac malware. It is time to take Mac security seriously. Apple does a great job for the most part, but in order to secure your information and your devices, you need a good Antivirus product.
Back to the threat at hand. This ransomware is bundled in with the Transmission Bittorrent client as a file called “General.rtf”. For most, this file looks like a simple real text file. However, it is actually a Mach-O 64-bit executable file that will execute three days after you run Transmission. This helps keep the ransomware hidden so that users wouldn’t suspect the app they are using for torrenting, but rather the torrents that they are pulling down as the source of infection.
After the three days, the app executes and drops a file called “kernel_service” into the user’s library directory. This process is named in such a way so as to confuse anyone that looks in Activity Monitor into believing that it is a system process. It then drops three more files in the user’s library: “.kernel_pid”, “.kernel_time” and “.kernel_complete”. It will collect the infected Mac’s model name and UUID then upload the information to one of its Command and Control servers.
These servers will respond with a file named “README_FOR_DECRYPT.txt”, in which it explains how to get the key for decryption and the price for the key in bitcoins. The ransomware is able encrypt around 300 different types of file extensions that it finds in the “/Users/” directory and changes the file extension to end in “.encrypted”. This means that the family pictures that you keep on your Mac will now be labeled “GrandCanyon2010.jpg.encrypted” and cannot be opened.
One of the most important things to note is that the program is still a work in progress. There are many functions that have been found in the code that are not currently being used, like the ability to encrypt your Time Machine backup as well. This of course is the second wall of defense for many people, who believe that because they have a Time Machine backup, they can always just roll back their Mac if something happens.
To add some more context into the expansion of ransomware into the Mac OS, our David Kennerley recently commented in Global Security Mag:
“Given the potential gains for attackers, it’s no surprise that they are now diversifying and targeting OS X – a popular system with a large target base. Add to this the fact that many people believe they are safe from such malware when running OS X, this ransomware has the potential to impact a huge number of people.”
You can locate the full article here.
I’ve said it before and I will say it again: Mac malware is real. Don’t be an Apple user that finds this out the hard way.