According to Palo Alto Networks’ dissemination of the code, OSX.KeRanger.A ransomware had a payload that should’ve triggered today – three days after the initial infection on 4th March 2016. Well, as we write at 1pm PT/4pm ET/9pm GMT, we’ve not seen a single report of it hitting any PCs. We’ve been monitoring the usual channels closely, such as Apple’s community forums.
All of us have huge thanks to give not only to Apple’s developers, who managed to get out the Xprotect anti-malware definition to remove OSX.KeRanger.A before it was even spotted by Transmission users, but also Palo Alto Networks, who spotted it in the first place. This has been a textbook example of how to mitigate what was very nearly a zero-day malware catastrophe that would’ve gone down in the history books.
Version 2.92 of Transmission also includes a routine to remove KeRanger from Macs, and users are encouraged to update if only for this reason – even if they already updated to the safe 2.91 release.
The day ain’t over yet, as Curly said in City Slickers, so there’s still a chance things could explode. But I think we’re in the clear now.
Kaspersky’s Threatpost blog has an interesting write-up where they speak to people involved at Palo Alto Networks and behind the scenes at Transmission.