Transmission installer delivered KeRanger

The March 2016 Transmission compromise shipped KeRanger through the project's own macOS download path. Users who downloaded Transmission 2.90 from the official site during the affected window received a signed disk image carrying ransomware.

The malicious app bundle contained an extra executable named General.rtf under Transmission.app/Contents/Resources. At launch, the modified Transmission binary copied it to ~/Library/kernel_service and ran it before showing the normal interface. The installer was signed with a valid Apple-issued developer certificate, so Gatekeeper initially allowed it.

KeRanger slept for three days, contacted Tor-routed command servers, retrieved an RSA key, and prepared a ransom note. Its encryption routine targeted documents, media, archives, source code, databases, mail, certificates, and other user data under /Users and selected volumes.

Apple revoked the abused certificate and shipped XProtect signatures. Transmission users were told to delete infected 2.90 copies, check for General.rtf, kernel_service, and .kernel_* files, and upgrade to a clean release. The incident became the first widely reported functional ransomware delivery through a signed macOS open-source installer.

Motive

Financial Gain

Attribution

Group

Cause

Compromised Infrastructure

Transitive

No

Actor

Cybercriminal Gang

• New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installerunit42.paloaltonetworks.com
• OSX.KeRanger ransomware infecting Transmission userssecurelist.com
• New Mac ransomware appears: KeRanger, spread via Transmission appwelivesecurity.com
• Malware-infected Transmission 2.9 app threatened OS X users, stopped by XProtectappleinsider.com
• OSX.KeRanger.A malware in 2.90?forum.transmissionbt.com