Ransomware arrives on the Mac: OSX/KeRanger-A

It’s happened: there’s now ransomware for the Mac, and it’s been named OSX/KeRanger-A

 Here’s what the crooks and their malware do:

  • Trick you into updating an application you are inclined to trust.
  • When you do so, the update installs and runs the ransomware program.
  • It proceeds to scramble files in your home directory and on currently-mounted volumes, adding the extension “.encrypted”each time.
  • It then puts a file called “README_FOR_DECRYPT.txt”in every directory where a file was encrypted.

What happens if you get infected?

 The malware will scramble everything it can find in your home directory (that means in and below/Users/YourNameHere), and a long list of file types on all mounted volumes such as USB keys, removable disks and network shares (on OS X, that’s everything under /Volumes).  Your files are encrypted with random keys using the AES algorithm. If you try to open any of the “.encrypted” files, you’ll be confronted with random-looking binary garbage. The crooks end up with the master key to all your files.

 If you don’t have a backup from which you can restore your scrambled files, the only known way to get them back is to follow the instructions in the “README_FOR_DECRYPT.txt” file which we do not recommend. There is no certainty that paying a ransom to the crooks will get you access to your files.

How did my computer get infected?

 Unlike most Windows ransomware in recent months which arrives via email, embedded in attachments to the email, this one has been distributed differently – so far. The crooks hacked into the download server of a popular BitTorrent client called Transmission, modified a version numbered 2.90, and published it as an official download on the same site. Approximately 6500 users downloaded the modified application before the server was shutdown. Soon after a CLEAN replacement was produced by the company, version 2.91, and put into distribution on different, secure, servers. As of March 10, 2016, the current version of the Transmission application is version 2.92.

 The Transmission app itself was very slightly modified to include an additional snippet of code to run the malware, which was added to the Transmission package under the innocent-looking name “General.rtf”.  The “General.rtf” file is, in fact, a regular OS X executable file, and it is launched as “kernel_service” by the hacked Transmission app. After 72 hours, the ransomware triggers and the damage listed above is carried out.

 Note that the ransomware program doesn’t try to acquire administrative powers, because it doesn’t need them to access your files: if you can write to them, so can any malware that you launch by mistake. That means you won’t see any dialogs popping up asking for your administrative password. Some Mac users still wrongly think that a password dialog is an inevitable side-effect of a malware infection, and is thus a handy way to spot that something malicious is about to happen – but that’s not correct.

What should I do?

  • Install and run a Mac anti-virus application that can automatically scan the files you download before you run them for the first time, and that can check out the websites you try to access before your browser gets to them. Sophos home should be installed on PERSONALLY owned Macs and MS SCEP should be installed on University owned equipment.
  • Make regular backups and keep a recent backup copy offline. OS X’s Time Machine backup software can create encrypted backups, so even if the disk they’re stored on is stolen, your backup is safe from prying eyes.
  • Another highly advisable setting is in the "Security & Privacy" System Preference panel: users should set "Mac App Store" or "Mac App Store and Identified Developers" under the "Allow Apps Downloaded from:" setting. This setting then requires that all installers be code-signed by Apple, and also checks the signature against a blacklist of known malware signatures using Gatekeeper, and will prevent them from executing under any circumstance   if they match the blacklist.

    This article details Gatekeeper: https://support.apple.com/en-us/HT202491 

    This article details the integrated  Malware detection: https://support.apple.com/en-us/HT201940

Edited by UNH ISS from the article by Paul Dunklin at Towerwall.com, March 2016.  Additional information supplied by Joe Kazura and Tim Clark, UNH IT, March 10, 2016

Custom Fields
  • Department: Information Security Services
Attached Files
There are no attachments for this article.
Related Articles RSS Feed
Phishing and Spam
Viewed 1011 times since Wed, Apr 29, 2015
Find sensitive data before the bad folks do!
Viewed 304 times since Mon, Jun 27, 2016
COPPA: Children’s Online Privacy Protection
Viewed 458 times since Wed, Apr 29, 2015
File-Sharing Policy
Viewed 281 times since Tue, Jun 2, 2015
Network Registration & Vulnerability Scans
Viewed 489 times since Wed, Apr 29, 2015
Vendor Contracts: Privacy Considerations, Security Review, and NDA
Viewed 1298 times since Mon, May 4, 2015
PCI DSS - Payment Card Security
Viewed 535 times since Thu, May 7, 2015
Using Facebook, Google or other Social Login Services
Viewed 287 times since Fri, Aug 26, 2016
Should you send or receive UNH personally identifiable information by email?
Viewed 264 times since Thu, Jun 9, 2016
SEED: Accepted Equipment List & Disposal Guide
Viewed 1087 times since Tue, Apr 28, 2015
MENU