First instance of OS X ransomware found in Transmission

[chronovore]

http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

Yikes.

They still don't know how Apple's certification process was bypassed.

[Vertigo]

I had a fake ransonware pop up a few months ago on my mac. I never want to have a taste of the real thing.   

[chronovore]

I had a fake ransonware pop up a few months ago on my mac. I never want to have a taste of the real thing.   

At my last job in a US office, someone got bit by this and it locked up the entire machine. It's great to think you're technically capable as a developer and then get completely owned by some Slovakian extortion scheme.

[VomKriege]

Ransomware is one of those things that I would expect to be put much more on the forefront of news. I suspect it doesn't because it reflects poorly on our own certainties of security, big business and the people supposedly enforcing order...

[T-Short]

One of my colleagues had a client recently who had a Mac with a Windows VM on it, she opened a ransomware attachment in the VM and had home folder sharing on, so her Mac files got encrypted as well. Ouch.

[Rufus]

http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

Yikes.

They still don't know how Apple's certification process was bypassed.

The two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple. The developer listed this certificate is a Turkish company with the ID Z7276PX673, which was different from the developer ID used to sign previous versions of the Transmission installer. In the code signing information, we found that these installers were generated and signed on the morning of March 4.

I don't know shit about how this works, but this reads as if the certificate was issued to the wrong company somehow.

[T-Short]

http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

Yikes.

They still don't know how Apple's certification process was bypassed.

The two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple. The developer listed this certificate is a Turkish company with the ID Z7276PX673, which was different from the developer ID used to sign previous versions of the Transmission installer. In the code signing information, we found that these installers were generated and signed on the morning of March 4.

I don't know shit about how this works, but this reads as if the certificate was issued to the wrong company somehow.

Naw, the affected installer was signed by a legit Apple Dev cert issued to a turkish company. The question is if that cert was stolen/appropriated by hackers, and how the nasty installer ended up on the official Transmission download site.

[Rufus]

I think I get it now. Made a couple of wrong assumptions.

A Turkish company's cert was misappropriated and used to sign a compromised Transmission installer, which then made its way onto the Transmission homepage. Crafty.

[T-Short]

I think I get it now. Made a couple of wrong assumptions.

A Turkish company's cert was misappropriated and used to sign a compromised Transmission installer, which then made its way onto the Transmission homepage. Crafty.

Yeah, it's the last part which is kinda creepy. Usually when this happens (XCode Ghost, various "Flash Player" installers), the actual installer is sourced from some place which is not the official supplier. But in this case it was on the official site.

[seagrams hotsauce]

Does the ransomware render Time Machine useless?

[T-Short]

Does the ransomware render Time Machine useless?

AFAIK it tries, if the disk is mounted. Dunno if it makes any effort to run backupd or read com.apple.TimeMachine.plist to try and mount destinations, but if you've got an external drive hooked up and mounted, it will try to encrypt those files as well. Probably just steps through /Volumes/, but I'm not familiar with it (nor do I want to be)

[seagrams hotsauce]

That makes sense. I usually just plug in my TM drive to backup a couple of times a week instead of leaving it in.

Either way, in the past my sheer stupidity has lead to me deleting 'important' files enough times that anything I consider remotely valuable exists on three or four different HDs. Still pretty disconcerting that something I use so frequently is so vulnerable though

[T-Short]

That makes sense. I usually just plug in my TM drive to backup a couple of times a week instead of leaving it in.

Either way, in the past my sheer stupidity has lead to me deleting 'important' files enough times that anything I consider remotely valuable exists on three or four different HDs. Still pretty disconcerting that something I use so frequently is so vulnerable though

Well. Cloud backup is fairly mature these days and quite good especially for mobile devices. Crashplan and BackBlaze are both good.

EDIT: Nothing beats TM for system backups though.

[thisismyusername]

Does the ransomware render Time Machine useless?

If you're Time Machine-ing to the same drive: Yes. If you're backing up to another drive and placing that drive somewhere that the ransomware can't see (AKA: Off the computer that is infected) then no, it won't affect it. It's the same as Bitlocker in a way.