OS X has never been such a popular operating system, compared to Windows, to attract virus, malware developers… But for a while now, it seems that that has changed and more and more cases of malware, affecting Macs.
One of the reasons why many users migrated to OS X was to avoid problems with viruses, malware… In recent years a new species of virus has become popular, which instead of deleting the content or infecting it, leaving it inaccessible, what it does is encrypt the hard drive without allowing access to any file that is hosted on it.
This type of virus is called ransomware, and as its name suggests, ransom means ransom, request an economic amount to be able to unlock the content. If the payment is not made in the time set by the attacker, the key that allows us to unlock the encryption will be destroyed and we will not be able to recover those files again.
This new ransomware that affects OS X is called KeRanger and it is installed together with the transmission download application, exactly with version 2.90. Several days after the installation of this application, KeRanger is responsible for encrypting all the content of our hard drive located in the / Users and / Volumes folders. Obviously, nobody assures us that by paying we will recover the information.
Precisely a few days ago Transmission was updated after two years and many were the users who ran to update it on their Macs. If you are one of them, read on to see if you are infected and how you can eliminate this ransomware before it takes action.
How to know if I am infected
To check if you are infected, you must go to Activity Monitor, located in Applications> Utilities. Si find kernel_process in open processes, bad business, because it will mean that you are infected. If this is your case, the best thing you can do before KeRanger starts up is to restore to a copy prior to the installation of Transmission version 2.9.
Another way to find out if you are infected with KeRanger is to go to "/Applications/Transmission.app/Contents/Resources/ General.rtf" or "/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf". The file General.rtf It was not included in the final version of Transmission 2.90, it is already the file in charge of infecting our Mac. If either of these two routes exists on our Mac, we are infected, so it is best to delete the application directly.
If you are lucky and you are not infected despite having version 2.90 installed and if you want to avoid any problems, the best thing you can do is update the application to version 2.91 that the developer has released. According to those developed by Transmission they do not know how this ransomware could end up in the installers from their servers, but everything seems to indicate that at some point they have been hacked by adding the infected installation files.
At this time, they ensure that all available installation files are free of this ransomware, but nobody assures us that they do not enter their servers again and modify them again, if they already did it once and the developers did not notice.
Fortunately, Apple has quickly started looking for a solution to this problem and has updated Gatekeeper adding version 2.90 of Transmission so that if any user tries to install it today, OS X will show us a massage informing us that it cannot be opened and that we must close the installation image. This does not prevent another application with another ransomware from coming and blocking all the documents on our Mac.
You always have to be very careful when downloading updates to this type of program, it is clear that they never bring only improvements, or add advertising in the best of cases or in the worst of what is commented in this post. Dangerous, very dangerous.
Buenas tardes. By removing Transmission with an "Appcleaner" or similar uninstaller, can the virus be removed from the computer?