My computer has been affected by a ransomware (Which is reported by Palo Alto Networks on Mar. 4th, http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger- infected-transmission-bittorrent-client-…)
What should i do to save my files?
And how can i remove the viruses permanently?
MacBook Pro with Retina display, OS X Yosemite (10.10.5)
If you don't have a backup that wasn't attached while the virus was busy encrypting your data, I think it's too late now.
To be completely sure that there is nothing left on the computer the only way is starting from scratch.
Thanks for reply. I do have a backup for most of my files and they are stored in a mobile hard disk.
However, some of my recent files are stored in the cloud (like Dropbox), i want to retrieve those files after i reinstall the system, but i am afraid that the virus has automatically synced to the cloud.
Is there any way to be sure that the virus are not stored in the cloud?
You can have a look at your DropBox files from an internet browser using a clean computer. If you see encrypted files there, those files are gone. I doubt there should be traces of infection on your offline drive.
My last backup was before i installed the App Transmission 2.90 (which is the source of the ransomware), so i think the offline drive should be fine?
I also searched and deleted all the encrypted files on the cloud and recovered their older, unencrypted versions.
My worry is that, once i download these recovered files to my new computer system, how can i be sure that they are free from this virus and would not compromise or infect my new system?
Thanks again for your help!
chenhm23 wrote:
My last backup was before i installed the App Transmission 2.90 (which is the source of the ransomware), so i think the offline drive should be fine?
If you did not attach the backup drive after the virus hit, that drive should be safe.
I also searched and deleted all the encrypted files on the cloud and recovered their older, unencrypted versions.
My worry is that, once i download these recovered files to my new computer system, how can i be sure that they are free from this virus and would not compromise or infect my new system?
The only way the virus can revive is to install the same infected Transmission app. Encrypted files are just unrecoverable data.
The malware was contained in the Transmission app. As long as you don't restore that, you'll be OK.
I have deleted the app, that means the malware is gone for good, right?
Yes, as long as you didn't restore it from a backup. I suggest you verify that Transmission (if it's still present) is version 2.92 or later.
I'm relying on published reports of the malware. I don't actually know what's installed on your computer. If you want certainty, ask for other instructions.
Hello chenhm23,
Go to the following web site: http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger- infected-transmission-bittorrent-client-installer/
and scroll down to the section "How to protect yourself". Follow the instructions.
If you routinely download via Torrents, you will continue to have severe problems, IMHO.
It is very unfortunate that this involved a BitTorrent client. There is an implicit assumption that Torrent users "deserved" this. The malware authors may have targeted Transmission for that very reason. People will hear about this and think "Oh, Torrent users. That figures." and go about their day. Aside from that speculation, this has nothing whatsoever to do with BitTorrent. This could happen to any other software at any time, and most certainly will. It was just a clumsy first attempt. Malware developers are like any other developer, they learn by trying and failing. They will do better next time.
chenhm23 wrote:
I have deleted the app, that means the malware is gone for good, right?
NO! The active component was moved to /Users/<YourUserName>/Library/kernel_service. If you run Transmission v2.92 it will automatically remove all components that were installed.
To manually remove them, hold the <Option/Alt>-key down and select "Library" from the Finder's Go menu.
You will need to be able to see invisible files, so either use a Utility you have to make that happen or do the following:
Now find and remove the following files:
KeRanger is not a virus, and it cannot spread on its own. It was entirely contained within the Transmission app. If you have deleted that app and restarted the computer afterwards, then you're fine. If you have allowed Transmission to update itself to version 2.92, then you're also fine. There is no need to worry about this having infected other files.
Assuming that you have removed the malware, you should be safe to restore files from backup, and there will be no need to erase the hard drive and restore your whole system.
MadMacs0 wrote:
NO! The active component was moved to /Users/<YourUserName>/Library/kernel_service.
Actually, in my testing with this malware, which I also verified with Claud Xiao (who discovered the malware), although it does copy the executable file to that location, it is then deleted after the process is running. Don't ask me why. There is also no method of persistence, meaning that the only way to get the malware running again after a restart is to open the infected Transmission app. Again, don't ask me why. Seems like a rather odd design to me.
So, if the infected Transmission app is deleted and the computer is restarted, that will eliminate the malware.
thomas_r. wrote:
KeRanger is not a virus, and it cannot spread on its own.
That will be something to look forward to in an upgraded version. The Transmission hack is just one variant of KeRanger. It is under active development and there will be a new version.
Actually, in my testing with this malware, which I also verified with Claud Xiao (who discovered the malware), although it does copy the executable file to that location, it is then deleted after the process is running. Don't ask me why. There is also no method of persistence, meaning that the only way to get the malware running again after a restart is to open the infected Transmission app. Again, don't ask me why. Seems like a rather odd design to me.
It sounds pretty clever to me. The best way to hide a malicious executable is to delete it. It only needs to reside on disk to be launched. After that, it can be deleted. On a UNIX OS, any file can be unlinked while open. That is how temporary files work. The file handle will remain active and valid, even though the actual file pointer has been removed from the filesystem.
People may complain about Apple's GateKeeper, Developer ID, and even its so-called "review" system for Mac App Store apps. While I agree that those systems are all pretty easy to bypass, they must be bypassed first. They are future-facing technologies. Any future malware must first figure out a way around them. The malware author in this case did that, but now that must be re-done. Any research that people have done on this particular version of KeRanger will also have to be re-done after the next exploit. Welcome to your future, Mac users.
Your computer has been locked and all your files has been encrypted with 2048-bit RSA encryption.
