Ransomware arrives on the Mac: OSX/KeRanger-A

It’s happened: there’s now ransomware for the Mac, and it’s been named OSX/KeRanger-A

 Here’s what the crooks and their malware do:

  • Trick you into updating an application you are inclined to trust.
  • When you do so, the update installs and runs the ransomware program.
  • It proceeds to scramble files in your home directory and on currently-mounted volumes, adding the extension “.encrypted”each time.
  • It then puts a file called “README_FOR_DECRYPT.txt”in every directory where a file was encrypted.

What happens if you get infected?

 The malware will scramble everything it can find in your home directory (that means in and below/Users/YourNameHere), and a long list of file types on all mounted volumes such as USB keys, removable disks and network shares (on OS X, that’s everything under /Volumes).  Your files are encrypted with random keys using the AES algorithm. If you try to open any of the “.encrypted” files, you’ll be confronted with random-looking binary garbage. The crooks end up with the master key to all your files.

 If you don’t have a backup from which you can restore your scrambled files, the only known way to get them back is to follow the instructions in the “README_FOR_DECRYPT.txt” file which we do not recommend. There is no certainty that paying a ransom to the crooks will get you access to your files.

How did my computer get infected?

 Unlike most Windows ransomware in recent months which arrives via email, embedded in attachments to the email, this one has been distributed differently – so far. The crooks hacked into the download server of a popular BitTorrent client called Transmission, modified a version numbered 2.90, and published it as an official download on the same site. Approximately 6500 users downloaded the modified application before the server was shutdown. Soon after a CLEAN replacement was produced by the company, version 2.91, and put into distribution on different, secure, servers. As of March 10, 2016, the current version of the Transmission application is version 2.92.

 The Transmission app itself was very slightly modified to include an additional snippet of code to run the malware, which was added to the Transmission package under the innocent-looking name “General.rtf”.  The “General.rtf” file is, in fact, a regular OS X executable file, and it is launched as “kernel_service” by the hacked Transmission app. After 72 hours, the ransomware triggers and the damage listed above is carried out.

 Note that the ransomware program doesn’t try to acquire administrative powers, because it doesn’t need them to access your files: if you can write to them, so can any malware that you launch by mistake. That means you won’t see any dialogs popping up asking for your administrative password. Some Mac users still wrongly think that a password dialog is an inevitable side-effect of a malware infection, and is thus a handy way to spot that something malicious is about to happen – but that’s not correct.

What should I do?

  • Install and run a Mac anti-virus application that can automatically scan the files you download before you run them for the first time, and that can check out the websites you try to access before your browser gets to them. Sophos home should be installed on PERSONALLY owned Macs and MS SCEP should be installed on University owned equipment.
  • Make regular backups and keep a recent backup copy offline. OS X’s Time Machine backup software can create encrypted backups, so even if the disk they’re stored on is stolen, your backup is safe from prying eyes.
  • Another highly advisable setting is in the "Security & Privacy" System Preference panel: users should set "Mac App Store" or "Mac App Store and Identified Developers" under the "Allow Apps Downloaded from:" setting. This setting then requires that all installers be code-signed by Apple, and also checks the signature against a blacklist of known malware signatures using Gatekeeper, and will prevent them from executing under any circumstance   if they match the blacklist.

    This article details Gatekeeper: https://support.apple.com/en-us/HT202491 

    This article details the integrated  Malware detection: https://support.apple.com/en-us/HT201940

Edited by UNH ISS from the article by Paul Dunklin at Towerwall.com, March 2016.  Additional information supplied by Joe Kazura and Tim Clark, UNH IT, March 10, 2016

Custom Fields
  • Department: Information Security Services
Attached Files
There are no attachments for this article.
Related Articles RSS Feed
UNH Server Best Practices
Viewed 1156 times since Fri, Jun 12, 2015
UNH Campus Virus Protection
Viewed 15185 times since Wed, Aug 12, 2015
Encryption & Virus Protection
Viewed 2099 times since Wed, Apr 29, 2015
UNH Information Security Services - Tax Season Resources
Viewed 157 times since Wed, Feb 21, 2018
SEED: Accepted Equipment List & Disposal Guide
Viewed 2476 times since Tue, Apr 28, 2015
Password Managers 101
Viewed 383 times since Mon, Oct 16, 2017
Using Facebook, Google or other Social Login Services
Viewed 782 times since Fri, Aug 26, 2016
The Fake Speeding Ticket Scam - What Will Hackers Think of Next?
Viewed 847 times since Mon, Apr 4, 2016
Microsoft Security Essentials and Windows Defender Usage
Viewed 5068 times since Wed, Aug 12, 2015
FAQs- System Center 2012 Endpoint Protection, Microsoft Security Essentials, and Windows Defender
Viewed 3351 times since Wed, Aug 12, 2015