KeRanger is reportedly the primary endemic ransom virus for the Macintosh and OS X. Before entering the details, we would like to tell you that there’s an increasingly popular computer software that will allow Apple consumers to engage in BitTorrent systems. The software is known as Transmission. It is unavailable to download in the Apple App Store; however, you can download it if you search for it via similar websites like Google Drive.
So, if you are using any form of torrent software, then you are already putting yourself in danger. Although not every user in the torrent world uploads fake or modded files, not all of them are clean – you should check the ratings of the uploader and go through the comments before you download the torrent. And if you are obtaining an application that Apple is not responsible for, this brings into question the legitimacy of whether or not the uploader modified the code and made the software into a backdoor that would allow them to log in to your system without your consent.
That being said, this torrent connecting software has not had a revision for a considerable amount of time. As a result, some issues started to appear and its users got aggravated, which prompted them to post negative reviews all over the web. So, like any good programmer, the guy posted an update.
It is unknown whether or not the update had KeRanger coded into it OR whether it was modified after the release. However, the moment it is activated, the ransomware encrypts your whole hard drive(s), while a message that says – ALL YOUR BITS ARE MINE – is displayed. You are then taken to a website that will provide you with a key to unlock your data for a fee of 1 BitCoin (that is $413.40 as of 14th of March 2016). And if you decide not to pay, well, consider all your data gone. However, if you have your Time Machine backup ready, then you can go back in time and stop that from happening. This is just one example of the importance of backups.
Anyhow, for those that have downloaded the software directly from the official website at some point during this month – KeRanger might encode the files on your system(s). However, in case the Transmission installer was installed or obtained from any alternative web pages, we also recommend that people carry out the instructions mentioned below:-
Step A
You can use whichever – the Terminal or Finder to examine either /Applications/Transmission.app/Contents/Resources/General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf is present. If that file is present, the software is contaminated. We recommend that you delete that version before the ransomware is activated.
Step B
Making use of the activity monitor that is already present in Apple computers using OS X, and examine if a process by the name of – kernel_service – is operating. To do this, double click the Operation, select the Open Files & Ports option and look for a file named kernel_service; again, you can do this by going to the Users folder and selecting the active users folder from the Library. You should then be able to clearly see the kernel_service file. If that is the case, then that process is ransomware’s main process. We recommend ending it by using Quit, and selecting Force Quit – this will help end the process entirely.
Step C
c) After doing so, users should also check for files named – .kernel_pid, .kernel_time, .kernel_complete or kernel_service – in the ~/Library index. If they are present there, you should delete them all.
USERS WITH THE OLD VERSION DO NOT SEEM TO BE AFFECTED BY THE RANSOMWARE. However, we hope you find this article useful, and we are sorry for those who are infected – if you know anyone who uses the Transmission application, then we recommend that you show them this article.
Source: Symantec, Palo Alto Networks
You want to support Anonymous Independent & Investigative News? Please, follow us on Twitter: Follow @AnonymousNewsHQ
This Article (This Ransomware Is Infecting Thousands Of Apple Users – Are You One Of Them?) is free and open source. You have permission to republish this article under a Creative Commons license with attribution to the author and AnonHQ.com.
To not be confused with kernel_task. 🙂