With the help of security researchers, Apple over the weekend quickly blocked a cyberattack aimed at infecting Mac users with file-encrypting malware known as ransomware.
The incident is believed to be the first Apple-focused attack using ransomware, which typically targets computers running Windows.
Victims of ransomware are asked to pay a fee, usually in bitcoin, to get access to the decryption key to recover their files.
Security company Palo Alto Networks wrote on Sunday that it found the “KeRanger” ransomware wrapped into Transmission, which is a free Mac BitTorrent client.
Transmission warned on its website that people who downloaded the 2.90 version of the client “should immediately upgrade to 2.92.”

It was unclear how the attackers managed to upload a tampered version of Transmission to the application’s website. But compromising legitimate applications is a commonly used method.
“It’s possible that Transmission’s official website was compromised and the files were replaced by re-compiled malicious versions, but we can’t confirm how this infection occurred,” Palo Alto wrote on its blog.

The tainted Transmission version was signed with a legitimate Apple developer’s certificate. If a Mac user’s security settings are set to allow downloads from identified Apple developers, the person may not see a warning from Apple’s Gatekeeper that the application could be dangerous. Security researcher Patrick Wardle of Synack has previously disclosed flaws in Gatekeeper that can lead to malicious code being installed from seemingly legitimate sources.

Apple revoked the certificate after being notified on Friday, Palo Alto wrote. The company has also updated its XProtect antivirus engine.
After it is installed on a system, KeRanger waits three days before connecting to a remote command-and-control server using the Tor system. It is coded to encrypt more than 300 types of files.
The ransom is 1 bitcoin, or about $404.