If you recently installed version 2.90 of the BitTorrent client Transmission on your Mac, you might be infected with a new form of ransomware. Dubbed KeRanger by researchers at Palo Alto Networks, this malware remains dormant for three days before making itself known to the user by encrypting their files and demanding a ransom payment. KeRanger is the first fully functional ransomware program observed on the OS X operating system. 

After the user downloads the KeRanger malware alongside a legitimate program like Transmission, the malware waits three days and then makes contact with command and control servers over the anonymous Tor network. It then encrypts documents and data files on the infected system. When it has finished the encryption process, the malware demands that the user pays one Bitcoin, approximately $400 USD, to regain access to their files. 

The KeRanger application possessed a valid Mac development certificate, making it capable of bypassing the Apple Gatekeeper protection. Today Apple confirmed that the certificate in question has been revoked. Going forward, the program will be unable to install itself on users’ systems. Additionally, the malicious file has been added to Apple’s malware definitions. Users who update Apple’s built-in malware protection XProtect will be protected from the new threat. A new version of the Transmission BitTorrent client has also been provided which updates the torrent client as well as deletes the infected KeRanger file.

This might not be the last time we hear about KeRanger. No one has confirmed how the open source project Transmission installer and website were compromised to spread the ransomware. Additionally, researchers note that the ransomware appears to be under development and observed it attempting to encrypt users’ backup files through the Time Machine utility, to prevent them from recovering their files without paying the ransom.