First Mac Ransomware Found in Transmission BitTorrent Client

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Mar 6, 2016.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]

    This weekend, a notice appeared on Transmissionbt.com warning users that version 2.90 of the popular Mac BitTorrent client downloaded from their site may have been infected with malware. The warning reads:
    Reuters reports that the infected download contained the first "Ransomware" found on the Mac platform. Ransomware is a type of malware that encrypts a user's hard drive and demands payment in order to unencrypt it. This type of attack has been increasingly popular on the PC, but this is the first time it has been seen on the Mac.

    According to Reuters, Apple is aware of the issue and has already revoked "a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs."

    The malware in question is said to delay encrypting the user's hard drive for 3 days, so we may see the first reports of those affected as early as Monday. Transmissionbt.com offers instructions on how to see you are affected (above). If you don't use the Transmission software, there is nothing you need to do at this time.

    Update: Technical details about the malware.

    Update 2: Transmissionbt.com says version 2.92 of Transmission will actively remove the malware.

    Article Link: First Mac Ransomware Found in Transmission BitTorrent Client
     
  2. mnsportsgeek macrumors 65832

    Joined:
    Feb 24, 2009
    #2
    Apparently it only affects users who downloaded it off of the website and not those who used the in app update.
     
  3. cwwilson macrumors 65816

    cwwilson

    Joined:
    Jan 27, 2009
    Location:
    Oklahoma City, OK
    #3
    I have version 2.84 installed. Am I okay?
     
  4. Dagless macrumors Core

    Dagless

    Joined:
    Jan 18, 2005
    Location:
    Fighting to stay in the EU
    #4
    That's worrying. You're encouraged to constantly keep your applications and OS updated, but recently that's becoming troublesome. First with Apple's silent security update disabling wired networks and now this! Worrying year for security this.
     
  5. TheHorrorNerd macrumors regular

    Joined:
    Feb 25, 2015
    #5
    Couldnt you just restore from an earlier time machine backup to work around the encryption lock?
     
  6. mgmusicman94 macrumors 6502a

    Joined:
    Nov 16, 2008
    #6
    Users who updated within the app are fine. Only direct downloads from the site were affected.
     
  7. penajmz macrumors 68040

    penajmz

    Joined:
    Sep 11, 2008
    Location:
    New York City
    #7
    Thats good news for me as I always update though the app.

    Still went to check and no such process was running.
     
  8. aaronvan Suspended

    aaronvan

    Joined:
    Dec 21, 2011
    Location:
    República Cascadia
    #8
    No kernel_service is running on my Mac.

    Epic malware fail.
     
  9. mgmusicman94 macrumors 6502a

    Joined:
    Nov 16, 2008
    #9
    ... if you use time machine
     
  10. Max(IT) Suspended

    Max(IT)

    Joined:
    Dec 8, 2009
    Location:
    Italy
    #10
    just started the app, I saw the warning and updated it.
    Shame on the developer here (since the infected app was downloaded from their website).
     
  11. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #11
    The Transmission forum posts and some Reddit posts all seem to point that direction. I updated to 2.90 in the app with Sparkle and was not infected.
     
  12. wrldwzrd89 macrumors G5

    wrldwzrd89

    Joined:
    Jun 6, 2003
    Location:
    Solon, OH
    #12
    Oh this is BAD. Thank goodness I'm not infected as I used the in-app update.
     
  13. Mada macrumors member

    Joined:
    Jan 7, 2007
    Location:
    Scotland
    #13
    Yup. It appears that if you updated within the app (i.e. with Sparkle) you're fine. It's only the direct downloads that were infected. Nevertheless, Transmission and its Library folders have made a quick trip to my Trash.
     
  14. mnsportsgeek macrumors 65832

    Joined:
    Feb 24, 2009
    #14
    Ya. I definitely did the check as well. That's one thing I don't want to deal with.
     
  15. bladerunner2000 macrumors 68020

    bladerunner2000

    Joined:
    Jun 12, 2015
    #15
    Not everyone uses Time Machine.
     
  16. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #16
    You are fine. The malware was only in the new 2.90 version.
     
  17. TheHorrorNerd macrumors regular

    Joined:
    Feb 25, 2015
    #17
    Cant really blame Apple for data loss if you
    (a) Don't make regular backups
    (b) Install bit torrent clients (from a website no less) Which have little or no legitimate use other than piracy
     
  18. Max(IT) Suspended

    Max(IT)

    Joined:
    Dec 8, 2009
    Location:
    Italy
    #18
    yes you are. The infected version is 2.90
     
  19. stridemat Moderator

    stridemat

    Staff Member

    Joined:
    Apr 2, 2008
    Location:
    UK
    #19
    Yes you will be fine.
     
  20. thisisnotmyname, Mar 6, 2016
    Last edited: Mar 6, 2016

    thisisnotmyname macrumors 68000

    thisisnotmyname

    Joined:
    Oct 22, 2014
    Location:
    known but velocity indeterminate
    #20
    Backups people, backups! Too often no one cares about backups until they are struck with something like this. There was an article, I think on NPR, a while back that chronicled the hoops people have to jump through in order to get rid of ransomware when they haven't practiced good backup strategy. There's a clock running and for someone who has never dealt with bitcoin before it can be challenging even if you want to pay the ransom.

    Edit to add: here was the article I was thinking of, it was on RadioLab: http://www.radiolab.org/story/darkode/
     
  21. Alenore macrumors 6502

    Joined:
    Apr 7, 2013
    #21
    And who said anything about blaming Apple? :/
     
  22. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #22
    Looks like Apple has updated XProtect for this KeRanger malware already. This is from my xprotect.plist file.

    Screen Shot 2016-03-06 at 11.42.26 AM.png
     
  23. iMacUnsure macrumors member

    iMacUnsure

    Joined:
    Aug 24, 2013
    Location:
    Southern US
    #24
    What if I do not have this installed at all? I do not use BitTorrent and never been on the site.
     
  24. Morrile macrumors member

    Morrile

    Joined:
    Jun 18, 2009
    Location:
    In an Apartment
    #25
    to be expected when people use BitTorrent, I have zero sympathy for people who pirate stuff!
     

Share This Page