[–]RobertAPetersen 29 points 17 hours ago
How to Protect Yourself
Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer was downloaded earlier or downloaded from any third party websites, we also suggest users perform the following security checks. Users of older versions of Transmission do not appear to be affected as of now.
We suggest users take the following steps to identify and remove KeRanger holds their files for ransom:
Using either Terminal or Finder, check whether /Applicaions/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/<username>/Library/kernel_service” (Figure 12). If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
Ensure you update to Transmission 2.92.
Malwarebytes for Mac is updated to scan for this ransomware as well: https://www.malwarebytes.org/antimalware/mac/
In general even us Mac users should be running anti-virus/anti-malware as well.
I recommend either Avira: Free Antivirus for Mac - Download the best Mac antivirus
or Sophos: http://www.sophos.com/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx
Extra recommended step for me personally, install BlockBlock:
Malware installs itself persistently, to ensure it's automatically re-executed at reboot. BlockBlock continually monitors common persistence locations and displays an alert whenever a persistent component is added to the OS. https://objective-see.com/products/blockblock.html
This issue with Transmission only appears to have been for those who manually downloaded Transmission recently, if you've been using auto update within the application you should be OK, but even then run scans anyway to err on the side of caution.
Write-up with further information: New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer - Palo Alto Networks BlogPalo Alto Networks Blog