KeRanger, the new MAC OS X ransomware that hit Apple users on the weekend

Over the weekend Apple customers who were looking for the latest version of Transmission were infected by KeRanger MAC OS X ransomware.

Bad news for Apple customers, their systems were targeted for the first time over the weekend by a ransomware campaign. The experts at Palo Alto Networks Unit 42 who discovered the malicious campaign reported that Apple customers who were looking for the latest version of Transmission, a popular BitTorrent client, were infected with a new family of Ransomware that was specifically designed to target OS X installations.

“On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” states the report published by Palo Alto Networks.

The researchers named this new Ransomware family KeRanger, they also released a technical analysis of the malware.

Ransomware attacks on MAC OS X systems is a novelty, in the past the unique malware with similar characteristics was FileCoder, a malicious code detected by Kaspersky Lab in 2014.

“The only previous ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder was incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on the OS X platform.” continues the post.

According to the report, users who have directly downloaded Transmission installer from the official website in a specific time interval may be been infected by KeRanger MAC OS X ransomware.

“Users who have directly downloaded Transmission installer from official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger.”

The Transmission project promptly removed the malicious installers on Saturday (March 5) and it is urging its users to update to the latest version (2.92).

The experts discovered that the malware was embedded within the Transmission DMG file itself, but this was not enough to install the malware. The author of KeRanger also signed the installer with a valid code-signing certificate, issued to Polisan Boya Sanayi ve Ticaret A.Ş., a holding company in Istanbul, to bypass security measured implemented by the Apple’s Gatekeeper.

The experts noticed that authors have used hidden services to masquerade the command and control infrastructure, once infected a machine the KeRanger MAC OS ransomware will wait three days before contacting a Command & Control server. Below the list of services in the Tor network used in the by the ransomware.

• lclebb6kvohlkcml.onion[.]link
• lclebb6kvohlkcml.onion[.]nu
• bmacyzmea723xyaz.onion[.]link
• bmacyzmea723xyaz.onion[.]nu
• nejdtkok7oz5kjoc.onion[.]link
• nejdtkok7oz5kjoc.onion[.]nu

Once the ransomware has contacted the server it starts encrypting documents having more than 300 different extensions:

• Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex
• Images: .jpg, .jpeg,
• Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac
• Archives: .zip, .rar., .tar, .gzip
• Source code: .cpp, .asp, .csh, .class, .java, .lua
• Database: .db, .sql
• Email: .eml
• Certificate: .pem

It is interesting to note that the ransomware is not able to start the encrypting process without making the initial contact to C&C servers.

When the files are encrypted, the KeRanger MAC OS ransomware demands $400.00 USD to the victims

The researchers suspect that the KeRanger MAC OS ransomware is still under development, in fact, they noticed the malware doesn’t encrypt Time Machine backup files, but the analysis of the code revealed that the is code to perform this action is already present in the malware, but it is still not active.

“Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.”

To mitigate the infections, the digital certificate used to sign the code has been already revoked. Apple added the installers to the Gatekeeper blacklist and also updated XProtect signatures to include the new KeRanger Ransomware family.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – KeRanger MAC OS ransomware, Apple)