KeRanger Mac Ransomware Flaw May Allow Recovery of Files

A few days ago, KeRanger, the first Mac ransomware found in the wild was discovered. Now, according to researchers from antivirus firm Bitdefender, KeRanger turned out to be based on a previous piece of ransomware known as Linux.Encoder, which emerged late last year, targeting Linux-based web servers.

The advantage to this is that Linux.Encoder possessed flaws in its cryptographic implementation for at least the first three versions, which allowed Bitdefender’s researchers to develop tools that could decrypt the files affected by the malware. According to Bogdan Botezatu, senior e-threat analyst at Bitdefender, even the latest version of Linux.Encoder (4), has the same flaws that affected the previous versions.

“The infected Mac OS X torrent client update analyzed by Bitdefender Labs looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers since the beginning of 2016,” Bitdefender researchers stated in a blog post published on Tuesday. The result of this is that KeRanger also contains the same broken cryptographic implementation.

Bitdefender is yet to publish a tool able to decrypt KeRanger affected files, however, development of such a tool is under consideration, should the demand be sufficient.

The purpose behind KeRanger still remains to be seen, considering the great lengths that those responsible for it have gone to, including stealing a legitimate Apple developer’s certificate and hacking into a popular and trusted open source project’s website, if the ransomware they were distributing had such a crucial known weakness. Whether a newer, more dangerous version of KeRanger will appear in the future could be quite likely, however, those affected by its current iteration should be thankful that this incident was not more serious.

First Mac-Targetting Ransomware Appears in the Wild

Despite the rising amount of ransomware attacks recently, Apple’s Mac OSX has so far remained unaffected by it. Unfortunately, for Mac-users, security firm Palo Alto Networks announced on Sunday that it had discovered the world’s first ransomware that is aimed at OSX computers. Now named “KeRanger”, the malware was discovered through a rogue version of the popular Transmission BitTorrent client.

KeRanger was first noticed on Saturday on the Transmission forums, where some users posted unusual reports that copies of Transmission downloaded from the main site were infected with malware. This means that the Transmission site itself was compromised, as the KeRanger infected versions of the client were served over an HTTP connection instead of the usual HTTPS used for the remainder of the website. Transmission later published a message stating that: “Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file.”

When a computer is infected with the KeRanger ransomware, through installing a compromised version of Transmission, the installer runs an embedded executable file on the system. It then waits 3 days before connecting to its command and control (C2) servers over the Tor anonymizer network. From there, it begins the process of encrypting certain types of files and documents on the system before issuing a demand of one bitcoin (around $400) to a specific address in order to restore access to their files. The current version of KeRanger was also reported to still be under development, with future iterations of the malware potentially able to encrypt Time Machine backups too, in order to prevent restoration.

It was only a matter of time before ransomware came to the Mac, however, it is worrying how vulnerable usually trustworthy open source projects are to unwillingly carrying malware. While the infected version of Transmission has since been pulled from their site, if you believe you have been infected, Palo Alto Networks’ report includes steps on how to identify and remove KeRanger.