Call 818-252-9165

For Apple Sales, Service, Training and Consulting
Call 818-252-9165

apple-logo-black-300x300Protect yourself from the first know Ransomware for Mac.

As reported by Computerworld… “A new malware briefly flared in the Macworld this weekend but there’s only an extremely slim chance your Mac has been affected. Don’t panic at the inevitable hype: here’s how to protect yourself.

Start here: Do you use Transmission?

If you don’t, you’ll be fine.

Synopsis

The Transmission 2.9 BitTorrent client release was undermined by malware writers who inserted ‘KeRanger’ code that encrypts all your Mac’s files and then demands around $400 to unlock your data. It takes three days until the malware strikes, so if you are impacted, there’s probably still time.

Apple’s reaction

Apple reacted swiftly. Within hours of the release an important Apple-provided security certificate was withdrawn by Cupertino and a new version of Transmission was made available that did not include the criminal code. Apple will doubtless be strenuously investigating how this code gained certification.
Meanwhile if you try to open a version of the application that is known to be infected you will be given a warning message saying either, “Transmission.app will damage your computer. You should move it to the Trash,” or, “Transmission can’t be opened. You should eject the disk image.”

What you can do

Infected files were downloaded after 7pm on Friday, and before 2am Sunday morning. If you think you may have been impacted by the bug, don’t panic, here is what you can do to protect yourself, courtesy of Palo Alto Networks.

Step One

Using either Terminal or Spotlight, check to see if either of these files exist:

/Applications/Transmission.app/Contents/Resources/ General.rtf
/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist.

Step two

If those files do exist you are using an infected version of Transmission and should delete the application once you have followed the next steps.

Step three

Launch Activity Monitor and search to see if a process called ‘kernel_service’ is running.

Step four

If kernel_service is running double click it in order to see more information about the process and then select the ‘Open Files and Ports’ pane to the right.

Step five

In Open Files and Ports check for a file name that should look like: ‘/Users/<username>/Library/kernel_service’. If this exists then you’ve found KeRanger’s main process.

Step six

Terminate the process using Quit>Force Quit

Step seven

You should now use Spotlight to find out if any of the following files exist in the ~/Library directory:

.kernel_pid,

.kernel_time,

.kernel_complete

kernel_service

If you find them, delete them.

You should also delete this version of the app. Do so following these instructions (complex) or using an application like AppCleaner, which will also find and delete all associated files.”

If you’re not sure about removal, or if you have Ransomware, contact your MacMyDay tech support.

No Comment

Comments are closed.