The prevalence of ransomware continues to increase this time affecting Apple Mac OS X devices. Earlier this month users of the Trasnmission BitTorrent client (specifically the version for Mac OS X) were at risk of having their data stolen since the downloadable version of the client had extra code added to it by attackers seeking to obtain a ransom to recover your data after stealing it from you.
Why Should This Issue Be Considered Important?
If you had downloaded and installed version 2.90 of the Transmission app after 3 days, it would have encrypted your personal data and demanded 1 bitcoin (approx. USD $400) in order to retrieve it. This would have not only been a huge inconvenience but also could possibly lead to you being unable to carry out routine tasks or your job if you are small business owner using your personal Mac system for business.
The fact that the malicious code included with the hijacked Transmission app would have encrypted your data only after 3 days since you installed it would have made narrowing down the source of the malware infection much more difficult.
An analysis of the malware by Palo Alto showed that malware had partial support for encrypting the data stored within Apple’s Time Machine backup software which if it had been operational would have caused far more data loss.
As discussed below, while this particular malware infection has now been resolved by the combined efforts of Apple, Transmission, Palo Alto and other security companies; the ramifications for future malware to be made available using similar techniques to steal data will be present from now on.
How Can I Protect Myself from This Issue?
As per Transmission’s recommendation, if you use their BitTorrent client on your Mac OS X system, please update it to version 2.92 or later. If you have anti-malware/anti-virus software installed, please run a full system scan and remove any traces of the malware that may be present. Alternatively, easy to follow manual instructions to remove the malware are provided here.
As mentioned in previous ransomware blog posts, please back up your critical data and ensure to have at least one full copy that is not connected to your computer. This will ensure that it is not available to the ransomware for it to be encrypted too. Recommendations for using Apple’s Time Machine backup software are provided here.
Separately Apple revoked the fake app development certificate (when Palo Alto Networks informed them of it’s misuse) that allowed the malware to bypass it’s Apple’s Gatekeeper security feature. They also updated their XProtect malware protection software to detect and remove the malware.
Meanwhile Transmission updated their software to version 2.92 to remove the malware from the app and to remove any existing malware traces that may have been present on a Mac system after installing version 2.90. All of the mentioned companies/teams should be applauded for their thorough and swift response to this threat.
ComputerWorld: First Mac ransomware had sights on encrypting backups, too
The Safe Mac: First Mac ransomware spotted