In what is being considered as the first ransomware attack focused on Apple, nearly 6,500 Mac users are expected to have been affected by KeRanger – the first fully functional ransomware seen on the OS X platform.

Enterprise security company Palo Alto Networks said that the KeRanger application was signed with a valid Mac app development certificate, meaning that it was able to bypass Apple’s Gatekeeper protection.

The report explains that when a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then starts encrypting certain types of document and data files on the system. Once the encryption encryption process is over, KeRanger demands that victims pay one bitcoin ($415.50 at the time of publishing) to a specific address to retrieve their files.

According to the report, the hackers used the Transmission BitTorrent client installer for OS X for the attack. Attackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4.

The security firm reported the ransomware issue to Apple on March 4 and the iPhone maker has since revoked the abused certificate and updated XProtect antivirus signature and Transmission Project has removed the malicious installers from its website. 

Forbes reported that Transmission’s main server was compromised, as told by John Clay, from the Transmission Project.

“Security has since been increased. We don’t have any comment at this time as to the method of attack,” said Clay. “Our best guess at this point is that approximately 6,500 infected disk images were downloaded. Of those, our presumption is that many were unable to run the infected file due to Apple quickly revoking the certificate used to sign the binary [the file], as well as updating the XProtect [Apple's anti-malware technology] definitions. We’re waiting on confirmation from Apple on that.”

Transmission issued a warning on its website that users who downloaded the 2.90 version of the client “should immediately upgrade to 2.92”, PCWorld reported. It added that users of 2.91 should also upgrade to and run 2.92, explaining that though 2.91 was never infected, it did not automatically remove the malware-infected file.

Palo Alto Threat Intelligence Director Ryan Olson told Reuters said that the users whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission's site.