With millions of active users, Transmission is one of the most used BitTorrent clients around, particularly for Mac users.
The application has been around for more than a decade and has a great reputation. However, this weekend several users started to report malware problems in the Transmission forums.
The malware in question was identified as “OSX.KeRanger.A” and several users reported that it’s linked to Transmission 2.90.
Today, their suspicions were confirmed by researchers from Palo Alto Networks who published a warning and an overview of the technical details on their website.
“Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When we identified the issue, the infected DMG files were still available for downloading from the Transmission site,” they write.
KeRanger is so-called ransomware which effectively encrypts the victim’s computer. The attackers then promise to decrypt it if a ransom is paid, amounting to one Bitcoin in this case.
“The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files,” the researchers explain.
“Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.”
Apple was also informed about the issue and has since revoked the abused certificate and updated its XProtect antivirus signature.
As Ars Technica points out, the “KeRanger” ransomware is notable as it’s the first Mac-targeted ransomware that’s been reported in the wild.
The Transmission team, meanwhile, has added a warning message to their site, alerting users to upgrade their clients right away.
“Everyone running 2.90 on OS X should immediately upgrade to 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the ‘OSX.KeRanger.A’ ransomware is correctly removed from you computer,” the warning reads.