There is a new malware threat targeting Mac computers. Called KeRanger, it was attached to a legitimate BitTorrent client Transmission.
How it works
KeRanger is a type of malware called “ransomware”. Ransomware blocks access to files on your computer until you pay the hackers who set it up money. In the case of KeRanger, the hackers have been demanding about US$400 to unlock the files.
KeRanger is particularly nasty in that it won’t just lock your files, but it also encrypts them, meaning it could be difficult to ever retrieve them. KeRanger waits for three days after it has been installed before it starts locking your files, so it’s not always obvious where it came from. In this instance, Apple said it was during the installation of Transmission version 2.90.
How would my computer be infected?
KeRanger disguised itself as part of the legitimate installation package of the Transmission software, meaning built-in OS X anti-malware protection wouldn’t have detected it as a threat at the time of installation. If you update the OS X anti-malware XProtect to the latest version, then it should be able to detect KeRanger.
How do I remove it?
KeRanger only affects version 2.90 of Transmission, all older and newer versions of the software are fine. If you have version 2.90, update to version 2.92 immediately, as the update removes KeRanger from your system. Transmission should remind you to update to 2.92 the next time you open it. You should also update XProtect.
As soon as the malware was discovered Apple revoked the Transmission version 2.90 security certificate, which means you can’t install this version anymore.