Skip to main content

Warning: Transmission BitTorrent client infected with ransomware, here's what you need to know!

Apple MacBook Pro
Apple MacBook Pro (Image credit: Joseph Keller/iMore)

The Transmission BitTorrent client's last update had an installer was infected with ransomeware dubbed "KeRanger" ransomware. Ransomeware encrypts files on the victim's computer and then demands payment to decrypt them, in this case one (1) bitcoin.

The company that makes the open source bit-torrent client doesn't know how the installers were compromised. Palo Alto Networks, however, has put together information for customers who may be infected.

Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.

We suggest users take the following steps to identify and remove KeRanger holds their files for ransom:

  1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
  2. Using "Activity Monitor" preinstalled in OS X, check whether any process named "kernel_service" is running. If so, double check the process, choose the "Open Files and Ports" and check whether there is a file name like "/Users/ [[ username ]] /Library/kernel_service" (Figure 12). If so, the process is KeRanger's main process. We suggest terminating it with "Quit -> Force Quit".
  3. After these steps, we also recommend users check whether the files ".kernel_pid", ".kernel_time", ".kernel_complete" or "kernel_service" existing in ~/Library directory. If so, you should delete them.

Apple has pulled the developer certificate used to sign the ransomeware infected versions of Transmission and has updated the XProtect anti-malware definitions. That means OS X shouldn't let it in, and Gatekeeper shouldn't let it run going forward. If you get an error warning you the Transmission installer should be trashed, by all means, trash it.

More, obviously, as this develops.

I have been writing professionally about technology and gaming news for 14 years.

12 Comments
  • Is there any way to tell if it has been installed on your machine?
  • MacRumors has a good writeup on this for anyone interested:
    http://forums.macrumors.com/threads/first-mac-ransomware-found-in-transm...
  • The source link in the imore article has loads of technical detail including how to identify if you're infected. The key point from reading various sources is users who updated an existing install to 2.90 via the auto update feature should be ok.
  • I'm curios about those of us using FileVault and who have their hard drive already encrypted. Can this malware re-encrypt it and still hold it hostage?
  • I think this is a file level encryption rather than drive level. So it can still encrypt your files even if you've FileVault enabled.
  • thanks for the clarification!
  • I would assume so. Once your system is running there is full access to all files.
  • Apparently it's only if you download version 2.90 from the website, not if you updated through the app's updater. Thankfully I was on version 2.84, and I also checked for the malware process and it doesn't exist
  • I'm curious as to how it got on transmissions website. Also if it was signed with a valid signature, aren't those traceable to a partial person or company?
  • Hi
    Please I want the mac's wallpaper that in pictures
  • I was about to ask for the wallpaper link as well lol Sent from the iMore App
  • It was a close call for me. I had this infected version installed or rather updated to this from their site. Lucky for me, I was running "little snitch" which asked for permission to allow or deny network connection from "kernal_services" to a network that looked like it was protected by TOR. I denied all traffic to this service and killed app. Later I went to the official site again and got a newer updated version(292). Its only after that the news about the Ransom-ware came out. Lesson Learnt :
    Never update apps as soon as they come out & I should probably also pay for my copy of Little Snitch :P