Palo Alto Networks, A security research firm announced Sunday its discovery of what is believed to be the world’s first ransomware that specifically goes after OS X machines. The malicious code dubbed "KeRanger" ransomware, was found wrapped into Transmission, which is a free Mac BitTorrent client.
At this time it is still unclear exactly how the attackers managed to upload a tampered version of Transmission to the application's website. But compromising legitimate applications is a commonly used method. "It’s possible that Transmission's official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred," Palo Alto Networks wrote on its blog.
The KeRanger malware imposes a 72-hour lockout window unless the victim pay up to unlock their devices. As mentioned the software was loaded to OSX machines unintentionally by users running version 2.90 of the Transmission software. A version that was signed with a legitimate Apple developer's certificate. This allowed the software to bypass one of OSX's security settings as users often set the setting to allow downloads from identified Apple developers. This setting means the person with the infected machine may not ever have seen a warning from Apple's GateKeeper software that the application could be dangerous.
According to reports by Reuters Apple revoked a certificate that allowed the software to be installed on Macs, and Transmission removed the download link from its website noting that any users that downloaded the infected version over the weekend should immediately upgrade to version 2.91 of the software, which was available on its website, and delete the malicious one.