On 3/4/16, a Mac crypto ransomware threat briefly flared in the wild, dubbed KeRanger by Palo Alto Networks. It had the ability to encrypt all the Mac’s files, then demanded around $400 in bitcoin to unlock them.

The only Macs infected by KeRanger were users of a BitTorrent app named Transmission, who updated to Transmission 2.9 when it was released on 3/4/16. The malware was inserted into the app by someone on the Transmission development team, and was able to get past Apple’s built-in XProtect defenses because it was signed with valid developer security certificate.

Within 2 hours of KeRanger’s discovery, Apple had revoked the security certificate needed to install Transmission 2.9. The developer also released Transmission 2.9.2 the next day with a new security certificate, malware free, including a utility to clean up KeRanger if it was previously installed. It is estimated that 6500 Mac users downloaded Transmission 2.9, but it is unknown how many were able to install it prior to Apple revoking it’s security certificate.

The big takeaway on this is that Apple updated OS X’s built-in XProtect malware definitions almost immediately after KeRanger’s discovery, quicker actually than other third-party Mac AV/AM software.