KeRanger, the new MAC OS X ransomware that hit Apple users on the weekend

Over the weekend Apple customers who were looking for the latest version of Transmission were infected by KeRanger MAC OS X ransomware.

Bad news for Apple customers, their systems were targeted for the first time over the weekend by a ransomware campaign. The experts at Palo Alto Networks Unit 42 who discovered the malicious campaign reported that Apple customers who were looking for the latest version of Transmission, a popular BitTorrent client, were infected with a new family of Ransomware that was specifically designed to target OS X installations.

“On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” states the report published by Palo Alto Networks.

The researchers named this new Ransomware family KeRanger, they also released a technical analysis of the malware.

Ransomware attacks on MAC OS X systems is a novelty, in the past the unique malware with similar characteristics was FileCoder, a malicious code detected by Kaspersky Lab in 2014.

“The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.” continues the post.

According to the report, users who have directly downloaded Transmission installer from the official website in a specific time interval may be been infected by KeRanger MAC OS X ransomware.

“Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger.”

The Transmission project promptly removed the malicious installers on Saturday (March 5) and it is urging its users to update to the latest version (2.92).

The experts discovered that the malware was embedded within the Transmission DMG file itself, but this was not enough to install the malware. The author of KeRanger also signed the installer with a valid code-signing certificate, issued to Polisan Boya Sanayi ve Ticaret A.Ş., a holding company in Istanbul, to bypass security measured implemented by the Apple’s Gatekeeper.

The experts noticed that authors have used hidden services to masquerade the command and control infrastructure, once infected a machine the KeRanger MAC OS ransomware will wait three days before contacting a Command & Control server. Below the list of services in the Tor network used in the by the ransomware.

lclebb6kvohlkcml.onion[.]link
lclebb6kvohlkcml.onion[.]nu
bmacyzmea723xyaz.onion[.]link
bmacyzmea723xyaz.onion[.]nu
nejdtkok7oz5kjoc.onion[.]link
nejdtkok7oz5kjoc.onion[.]nu

Once the ransomware has contacted the server it starts encrypting documents having more than 300 different extensions:

Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex
Images: .jpg, .jpeg,
Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac
Archives: .zip, .rar., .tar, .gzip
Source code: .cpp, .asp, .csh, .class, .java, .lua
Database: .db, .sql
Email: .eml
Certificate: .pem

It is interesting to note that the ransomware is not able to start the encrypting process without making the initial contact to C&C servers.

When the files are encrypted, the KeRanger MAC OS ransomware demands $400.00 USD to the victims

The researchers suspect that the KeRanger MAC OS ransomware is still under development, in fact, they noticed the malware doesn’t encrypt Time Machine backup files, but the analysis of the code revealed that the is code to perform this action is already present in the malware, but it is still not active.

“Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.”

To mitigate the infections, the digital certificate used to sign the code has been already revoked. Apple added the installers to the Gatekeeper blacklist and also updated XProtect signatures to include the new KeRanger Ransomware family.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – KeRanger MAC OS ransomware, Apple)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.