New ransomware infecting Apple OS X surfaced on
March 4th 2016, with the emergence of KeRanger.
The first inkling of trouble came at the weekend.
Users of Transmission – a BitTorrent client widely used on OS X – might have
noticed the following warning:
According to the warning, which was displayed
within the Transmission application and on its website, version 2.90 of the
application was infected. All users were recommended to upgrade immediately to
2.91, as they might have fallen victim to new file-encrypting ransomware to
target OS X – dubbed KeRanger.
Analysis of this threat was first published by Palo Alto Networks. ESET researcher Anton Cherepanov also
spotted it and has completed his own analysis. Here is what you need to know,
followed by his technical analysis.
1.
Is KeRanger
just a proof-of-concept or fully functional in-the-wild malware?
Unfortunately, the latter.
2.
How does
KeRanger spread?
It’s spread via an infected version of an otherwise
legitimate open source BitTorrent application – Transmission. Its malicious
version (2.90) was available for download between March 4 and March 5, 2016 and
was signed with a legitimate developer certificate.
3.
Is it still
spreading?
As of March 5, the malicious version was removed
from Transmission’s website. Also, Apple has revoked the misused certificate to
prevent users from opening the infected installer even if it is downloaded from
a third-party location.
4.
I haven’t
seen any demand for ransom. Does that mean my Mac has dodged KeRanger?
Not necessarily. The version of KeRanger we have
analyzed stays idle for three days after initial infection. To determine if
KeRanger is present on your Mac, do the following:
·
If any of
these files exist, delete them and uninstall the Transmission app:
o /Applications/Transmission.app/Contents/Resources/
General.rtf
o /Volumes/Transmission/Transmission.app/Contents/Resources/
General.rtf
o %HOME_DIR%/Library/kernel_service/kernel_service
o %HOME_DIR%/Library/kernel_service/.kernel_pid
o %HOME_DIR%/Library/kernel_service/.kernel_time
5.
Is there any
way to decrypt the files?
Unfortunately, there is not. The malware uses
cryptographic algorithms (RSA-2048 and AES-256) that are effectively
unbreakable.
6.
How can I
protect my data?
Use reliable security solution. ESET’s users are
protected – our software detects KeRanger under OSX/Filecoder.KeRanger.A. We
strongly recommend that users back up all of their valuable data on a regular
basis.