Imagine this: You’re editing an important document in Pages that the boss needs by the end of the day. Things are going great, and the music that’s softly playing in the background seems to be streaming along perfectly with each of your brillant keystrokes. Becuase you’re a professional multi-tasker you have your favorite BitTorrent, Transmission, downloading a few shows for the evening. But before you can think about what happened in the last episode, you notice something strange sitting on your Mac's desktop. It's a file named ‘README_FOR_DECRYPT.TXT’, and it seems to be staring at as if you took its lunch money. Out of pure curiosity you double-click the text file and it states, "All of your files are encrypted with 2048-bit RSA encryption. Pay 1 Bitcoin to have them decrypted." You begin to giggle as you pull up Finder and navigate to your Documents folder to take a peek. Your heart skips a beat, mouth drops, and you immediately you stop giggling. In fact, the background music screaches to a halt and you lift your fingers from the keyboard as if you personally could become infected.
"It's true...they're right...all of my files are encrypted."
"How is this possible?" you whisper.
At this point your eyes begin to widen and you take the plunge and double-click a random document (the one that you’re working on for the boss) and it opens to nothing but gibberish.
What do you do now?
Do you pay the ransom?
First, let me state that if you haven’t downloaded Transmission, or have no idea what a BitTorrent is, you’re safe. This ransomware only affects users who have this specific application and version 2.90 of it. This means that this ransomeware isn’t floating out in the ether waiting to jump on your Mac to have you pay a little over $400 (1 Bitcoin) to get your files back.
Secondly, if you use Transmission check your version and if you have 2.90, then follow the steps below. If your files are encrypted because of this ransomware you can easily get rid of the virus by following the steps too:
(1) Open Terminal
(2) Open Activity Monitor
(3) In Activity Monitor look for process “Kernel_service” & the Transmission application and “force quit” them.
(4) If neither stops, look at the “PID” number next to each process and write them down or commit them to memory.
(5) In Terminal type “kill 1234” (Without quotations & replace 1234 with the number from Activity Monitor. You’ll have to do this twice because you’re stopping two different processes.)
(6) Open Finder & go to Applications
(7) Drag Transmission to the Trash can and empty it.
After you’ve completed all the steps technically you’re done, since the virus is gone. However, there are still files lingering on your Mac from this ransomware that deal with time (the timeframe for this virus to take hold is 3 days). If you want these gone as well, then follow the additional steps (remember to leave out the quotation marks when typing):
(1) Open Terminal
(2) Type “cd ~/library"
(3) Type “rm .kernel_pid”
(4) Type “rm .kernel_time"
(5) Type “rm .kernel_service"
(6) Type “rm .kernel_complete”
You may not have all of them, so don’t worry if your Mac can’t find each one.
After you've completed that task, the files will still be encrypted so you will have to use Time Machine to pull from your latest backup. Fortunately, in this scenario you were working with Pages, meaning that your documents are saved to your iCloud drive, so if you needed to continue on you could. However, it is recommended that you restore your Mac from a Time Machine backup to make everything go back to normal.
Lastly, as Mac malware becomes more prevalent it’s smart to protect yourself with a strong antivirus and intelligent software firewall (Intego X8 has both in one application). Intego is what I have always used and I’ve never had an issue (including Windows viruses that latch onto Word documents, because Intego can scan and quarantine PC malware too.)
If you don't have an antivirus for your Mac, then pick one up by clicking the Intego icon in the bottom right hand corner of my blog.
That’s it for now!