Fanboys Anonymous

Ransomware is one of the fastest-growing forms of cyber threats, encrypting data on infected machines and forcing users to pay a ransom for a electronic key to retrieve their data. The malware demands that victims pay one bitcoin ($400) to a specific address to retrieve their files.

Claud Xiao and Jin Chen of Palo Alto Networks reported that the ransomware, called "KeRanger," is the only fully functional ransomware seen on the OS X platform. The only previous attempt at ransomware for OS X is FileCoder, discovered by Kaspersky Lab in 2014, though it was incomplete at the time of discovery.

Hackers infected Transmission BitTorrent client version 2.90, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, on the morning of March 4. Those that downloaded Transmission from the official website between 11 a.m. on March 4 and 7 p.m. on March 5 may have been infected, Palo Alto Networks stated.

KeRanger was signed with a valid Mac app development certificate, allowing it to bypass Apple's Gatekeeper protection. The application is designed to idle for three days before connecting with servers over the Tor anonymizer network and then begins to encrypt certain types of document and data files. Additionally, the malware encrypts Time Machine backup files, preventing victims from recovering their back-up data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from cyber criminals who typically target Windows users, Reuters reported. This is the first known major attack on Mac users.

The ransomware was reported to Apple and the Transmission Project, prompting Apple to revoke the abused certificate that enabled the malware to install. On Sunday, the Transmission Project removed the malicious installers from its website and advised users to immediately install the new update, version 2.92, if they suspect their Mac has been infected. According to the website, the updated version will automatically remove the ransomware.