Transmission BitTorrent App Contained Malware

An anonymous reader writes: Apple users were targeted in the first known Mac ransomware campaign. Hackers targeted Transmission, which is one of the most popular Mac applications used to download software, videos, music, and other data from the BitTorrent peer-to-peer information sharing network. As per this forum post (English screenshot of warning), OS X detected malware called OSX.KeRanger.A. This is the first one in the wild that is functional as it encrypts your files and seeks a ransom. An Apple representative said the company had taken steps over the weekend to prevent attacks by revoking a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs.

Digital certs don't make your software secure

[NotInHere]

In fact, in this case probably it was the contrary. I guess the developer was not part of the developer team for transmission, but external. If it were easy to package software for macs without having to pay lots of fees, the dev team could have done it themselves. Apple really should give free dev licenses to free software developers, to help fight abuse. Github does something like that too.

Re:Digital certs don't make your software secure

$99 a year isn't an exorbitant fee for a code signing cert.

Thats the only part of Apple's developer programs that require cost (besides buying a Mac, and frankly its not a crazy concept to own the platform you are developing for)

Re:Digital certs don't make your software secure

[Jamu]

You can probably make that back from the ransom payments...

Re:Digital certs don't make your software secure

Right. Because Macs run iOS. Of course.

They don't, but the iDevice simulators in Xcode do.

Re:Digital certs don't make your software secure

[butzwonker]

It can be exorbitant for small developers in combination with the other requirements. You also need to buy Macs every 3-5 five years in order to be able to stay afloat as a developer. Let's say you only update your machine every 5 years (a bit optimistic). Then a realistic estimate for the real development costs is USD 99 x 5 + USD 1300 MacBook Pro 13 + USD 249 Apple Care for MacBook Pro 13 for a total of USD 2044 / 5 years or USD 409 per year, not including any software, online storage and backup, web services, backup software and storage, etc. For serious business these costs are no problem. For small shareware and occasional developers these costs can be prohibitive. They certainly are the reason why I don't develop for Apple. And don't forget that Apple additionally takes 30% of all your revenue as opposed to 10 - 16 percent that ordinary payment services take, so the real costs for individual developers are much higher.

Re:If I remember right transmission is also includ

Given that Transmission originates as a project purely for Mac OS (which has subsequently become cross platform), I'd be amazed if the main devs didn't own Macs.

Re:Decipher

[SeaFox]

Now the ransomware's certificate is revoked, I guess there is no hope to pay the crooks and recover the data?

Macrumors reports there was a three-day delay before the lockout would take effect. So most people haven't been caught by it yet.

I never get this.

[rrohbeck]

How is an encrypted drive different from a failed drive, other than that if it's only encrypted you don't even have to buy a new one - just wipe it and restore your backup, maybe reinstall your OS first.

Re: I never get this.

[krray]

No, he's just saying that to the end user the symptoms are the same, ie; "it doesn't work right anymore".

Replace the drive (not needed in this case), format, and reload from a good backup.

You have a good backup, right? :)

Re:I never get this.

[antdude]

Unless it infects the backup drives too. :(

Re:I never get this.

[sociocapitalist]

How is an encrypted drive different from a failed drive, other than that if it's only encrypted you don't even have to buy a new one - just wipe it and restore your backup, maybe reinstall your OS first.

Because cryptolocker type attacks also encrypt any backup drives that are connected (either directly or over the network). You may even be backing up malware encrypted files, overwriting unencrypted files, for some time before the malware notice flashes up on your screen.

Keep in mind that the malware process runs encryption in the background for some time (i.e. until some target percentage of what the malware considers to be 'interesting files' has been encrypted) so you don't generally know that you're under attack until most of your files have been made useless to you.

The only reasonably certain defense is having a lot of one off backups that you make and then store offline. As USB keys are cheap I've been making weekly backups of the data that's really important and just throwing the keys in a drawer.

Re:If I remember right transmission is also includ

[Noah+Haders]

transmission is a longtime award winning mac app.

Time Machine

[khchung]

So, if you find your important file encrypted by ransomware, how difficult is it to just restore it from a Time Machine backup?

After all, once it was encrypted, you can use it anymore, so it is simple to just get the version before the last update time.

Re:Time Machine

I'm guessing the time machine files will all be encrypted themselves so that data cannot be recovered. Assuming here that the time machine drive files are similar in form to the application 'bundles', just instead of programs and shared libraries on the 'bundle', there will be a source file and the various binary diffs of the versions of the files.

Re:Time Machine

[SilentChasm]

From the TorrentFreak article:

Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.