Ransomware arrives on the Mac: OSX/KeRanger-A

It’s happened: there’s now ransomware for the Mac, and it’s been named OSX/KeRanger-A

 Here’s what the crooks and their malware do:

  • Trick you into updating an application you are inclined to trust.
  • When you do so, the update installs and runs the ransomware program.
  • It proceeds to scramble files in your home directory and on currently-mounted volumes, adding the extension “.encrypted”each time.
  • It then puts a file called “README_FOR_DECRYPT.txt”in every directory where a file was encrypted.

What happens if you get infected?

 The malware will scramble everything it can find in your home directory (that means in and below/Users/YourNameHere), and a long list of file types on all mounted volumes such as USB keys, removable disks and network shares (on OS X, that’s everything under /Volumes).  Your files are encrypted with random keys using the AES algorithm. If you try to open any of the “.encrypted” files, you’ll be confronted with random-looking binary garbage. The crooks end up with the master key to all your files.

 If you don’t have a backup from which you can restore your scrambled files, the only known way to get them back is to follow the instructions in the “README_FOR_DECRYPT.txt” file which we do not recommend. There is no certainty that paying a ransom to the crooks will get you access to your files.

How did my computer get infected?

 Unlike most Windows ransomware in recent months which arrives via email, embedded in attachments to the email, this one has been distributed differently – so far. The crooks hacked into the download server of a popular BitTorrent client called Transmission, modified a version numbered 2.90, and published it as an official download on the same site. Approximately 6500 users downloaded the modified application before the server was shutdown. Soon after a CLEAN replacement was produced by the company, version 2.91, and put into distribution on different, secure, servers. As of March 10, 2016, the current version of the Transmission application is version 2.92.

 The Transmission app itself was very slightly modified to include an additional snippet of code to run the malware, which was added to the Transmission package under the innocent-looking name “General.rtf”.  The “General.rtf” file is, in fact, a regular OS X executable file, and it is launched as “kernel_service” by the hacked Transmission app. After 72 hours, the ransomware triggers and the damage listed above is carried out.

 Note that the ransomware program doesn’t try to acquire administrative powers, because it doesn’t need them to access your files: if you can write to them, so can any malware that you launch by mistake. That means you won’t see any dialogs popping up asking for your administrative password. Some Mac users still wrongly think that a password dialog is an inevitable side-effect of a malware infection, and is thus a handy way to spot that something malicious is about to happen – but that’s not correct.

What should I do?

  • Install and run a Mac anti-virus application that can automatically scan the files you download before you run them for the first time, and that can check out the websites you try to access before your browser gets to them. Sophos home should be installed on PERSONALLY owned Macs and MS SCEP should be installed on University owned equipment.
  • Make regular backups and keep a recent backup copy offline. OS X’s Time Machine backup software can create encrypted backups, so even if the disk they’re stored on is stolen, your backup is safe from prying eyes.
  • Another highly advisable setting is in the "Security & Privacy" System Preference panel: users should set "Mac App Store" or "Mac App Store and Identified Developers" under the "Allow Apps Downloaded from:" setting. This setting then requires that all installers be code-signed by Apple, and also checks the signature against a blacklist of known malware signatures using Gatekeeper, and will prevent them from executing under any circumstance   if they match the blacklist.

    This article details Gatekeeper: https://support.apple.com/en-us/HT202491 

    This article details the integrated  Malware detection: https://support.apple.com/en-us/HT201940

Edited by UNH ISS from the article by Paul Dunklin at Towerwall.com, March 2016.  Additional information supplied by Joe Kazura and Tim Clark, UNH IT, March 10, 2016

Custom Fields
  • Department: Information Security Services
Attached Files
There are no attachments for this article.
Related Articles RSS Feed
Good Security Practices to Adopt at Work/School, and at Home
Viewed 93 times since Fri, Jul 14, 2017
Microsoft Security Essentials and Windows Defender Installation
Viewed 5530 times since Wed, Aug 12, 2015
Things to Consider if Your UNH Account has been Compromised
Viewed 40 times since Wed, Aug 16, 2017
PCI DSS - Payment Card Security
Viewed 805 times since Thu, May 7, 2015
Antivirus Software for Windows
Viewed 4436 times since Wed, Aug 12, 2015
Tips for Keeping Your Devices Secure
Viewed 49 times since Fri, Aug 4, 2017
Should you send or receive UNH personally identifiable information by email?
Viewed 432 times since Thu, Jun 9, 2016
Signs Your Account is Compromised
Viewed 40 times since Wed, Aug 16, 2017
Tax Related Identity Theft
Viewed 451 times since Wed, Feb 17, 2016
Encryption & Virus Protection
Viewed 1096 times since Wed, Apr 29, 2015
MENU