In case you haven’t heard – the very first ransomware to successfully attack Mac has already surfaced the Web, spreading via the hacked Transmission BitTorrent client for Mac. The ransomware, dubbed KeRanger (Ransomware.OSX.KeRanger), has been identified as the very first completely functional ransomware targeting Mac users.
According to researchers at Palo Alto, the first infections took place on March 4. Apparently, someone, a cyber criminal, has hacked the official Transmission website and then replaced the legitimate client for Mac version 2.90 with a compromised one that contained KeRanger.
Ransomware.OSX.KeRanger– the Pioneer Ransomware for Mac Users
One may think that the very first functional Mac ransomware would have flaws or at least features that need improvement. However, researchers warn that KeRanger is as dangerous as the average ransomware written for the Windows operating system. To be more precise, KeRanger appears to be an excellent replica of both Windows and Linux malicious encryptors that have been infecting users on a global level.
KeRanger – Technical Review
The encryption algorithm used by KeRanger is AES. It is deployed against 300+ file extensions. Here are some of them:
- Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex
- Images: .jpg, .jpeg,
- Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac
- Archives: .zip, .rar., .tar, .gzip
- Source code: .cpp, .asp, .csh, .class, .java, .lua
- Database: .db, .sql
- Email: .eml
- Certificate: .pem
Interestingly, the encryption process would start 3 days after the initial infection. What does this mean? Users that have downloaded the compromised Transmission BitTorrent around March 4 could still remove the ransomware before any of their data is encrypted.
Learn More about the AES Encryption Algorithm
The demanded ransom is estimated at 1 Bitcoin, or approximately $400. The payment should be made via the Dark Net, on a particular (.)onion website.
How to Remove KeRanger Ransomware from Infected Macs
An important remark to Mac users who have downloaded the Transmission installer directly from its official website after 11:00 AM PST on March 4 and before 7:00 PM PST on March 5: you are highly likely infected by KeRanger. Even in cases when the installer was downloaded from a third party websites or earlier than the specified time, you should consider checking your system for the ransomware. The only good news here is that older versions of Transmission seem to be spared.
Researchers at Palo Alto strongly advise following these steps to remove KeRanger:
- 1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
- 2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users/
/Library/kernel_service”. If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit”.
- 3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
Has KeRanger Been Neutralized?
Luckily, yes. Apple has already neutralized the ransomware. At least for now things appear to be on the bright side. However, researchers say that KeRanger has features that are not yet completed. Simply said, the ransomware could come back, with new versions that implement those features. If (or when) finished, one specific component would target Time Machine files, which means that file recovery from older system backups won’t be possible.
Another notable, still characteristic observed in KeRanger would enable remote control, and thus would act exactly like a backdoor in a Windows system.
So, one crucial and logical question to be asked here is…
How Did KeRanger Bypass Apple’s GateKeeper?
Quite simple – by using a stolen certificate. Apple security experts have already revoked the certificate and have also updates the XProtect antivirus signature to protect users from falling victims to KeRanger in the near future. The open-source Transmission project has also removed the compromised binaries from their website. A new version for the Mac Client has been issued as well – version 2.92.
The conclusion? No operating system is safe from ransomware.