The Transmission BitTorrent client's last update had an installer was infected with ransomeware dubbed "KeRanger" ransomware. Ransomeware encrypts files on the victim's computer and then demands payment to decrypt them, in this case one (1) bitcoin.
The company that makes the open source bit-torrent client doesn't know how the installers were compromised. Palo Alto Networks, however, has put together information for customers who may be infected.
Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.
We suggest users take the following steps to identify and remove KeRanger holds their files for ransom:
- Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
- Using "Activity Monitor" preinstalled in OS X, check whether any process named "kernel_service" is running. If so, double check the process, choose the "Open Files and Ports" and check whether there is a file name like "/Users/
/Library/kernel_service" (Figure 12). If so, the process is KeRanger's main process. We suggest terminating it with "Quit -> Force Quit".
- After these steps, we also recommend users check whether the files ".kernel_pid", ".kernel_time", ".kernel_complete" or "kernel_service" existing in ~/Library directory. If so, you should delete them.
Apple has pulled the developer certificate used to sign the ransomeware infected versions of Transmission and has updated the XProtect anti-malware definitions. That means OS X shouldn't let it in, and Gatekeeper shouldn't let it run going forward. If you get an error warning you the Transmission installer should be trashed, by all means, trash it.
More, obviously, as this develops.