KeRanger: Mac’s First Ransomware Hit

Ransomware has been continuously evading the security industry. And now they have hit the Mac world too. Mac OS X was hit recently with ransomware for the very first time and it’s the first malware, keranger ransomware which is digitally signed with a valid Mac Developer ID and distributed via software update.

What Hit the Mac?

KeRanger ransomware is a strain of encryption malware which encrypts files on the Mac OS X systems and demands a ransom in the form of 1 bitcoin (425.75 US Dollar), after being in the system for three days. The malware is installed through an open source file-sharing application called Transmission.

The attacker accountable for this malware may have used a Mac app development to get past the Apple Gatekeeper, which is used to validate the legality of applications. Moving on the attacker was able to substitute the authorized installer with an illicit version compiled with the malware.

The transmission app, a BitTorrent client was infected to add this ransomware and distributed from the official Transmission website using a different code signature from the usual one used to log in the Transmission app. The app has been altered and re-logged in by the invader. The altered copy of Transmission includes a file named General.rtf, which is an executable file rather than the rich-text document it acts to be. The file is copied when the app is launched to a file named kernel_service in the user Library folder. This process keeps running in the background and meanwhile creates additional files named kernel_pid and kernel_time in the same folder. One of the latter files contains a timestamp, which is used to identify when three days have passed.

KeRanger might be based on another ransomware program known as Linux.Encoder that initially targeted thousands of Linux-based servers. Apart from some compiler-related dissimilarities and a new routine planned to locate and encrypt Apple Time Machine backups, all the other functions in the code are alike.

Apple has revoked the certificate used for signing KeRanger and included definitions for the malicious version of Transmission in their XProtect antimalware software, so users will be unable to install this particular version of the application. Additionally, a new version of Transmission was released that discovers and eliminates this ransomware.

Who KeRanger Affects?

Not everyone who uses the Transmission app is affected by the KeRanger ransomware. It affects users who download version 2.90 of the app from the Transmission website and install it on their Macs. This version is believed to have been bundled with the KeRanger ransomware by anonymous invaders.

Transmission mentioned that the software was uploaded to the servers through a security breach and that an approximate of 6,500 people downloaded the ransomware.

Is Your Mac Infected?

In case users have downloaded the Transmission app, they should delete the app and restart the system to prevent re-activation of the malware.

• Find a file called “Applications/Transmission.app/Contents/Resources/General.rtf” or “/Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf”. Delete your Transmission app if this file is found.

• Check for a process called “kernnel_service” using the Activity Monitor to see if it’s running. If you find it choose Open Files and Ports from the app and search for a file name that may be like “Users/<username>/Library/kernel_service”. If you find it, force quit the process.

Any files that are backed up before the removal of the malware will be intact. SecPod Saner helps to proactively detect such malware and remediate them.

How to protect yourself from ransomware?

• Ensure constant backup of files stored on your computer. In case the malware attacks your device, you can restore the backed up files after eliminating the malware.
• Update your security software constantly to guard yourself against any new variants of malware.
• Always keep your operating system and software updated. Software updates will frequently include patches for newly found security vulnerabilities that attackers can take advantage of.
• Remove untrustworthy e-mails, especially if they contain links or attachments.

Growing Jeopardy

Although KeRanger malware was circulated only briefly through software that has been compromised, Mac users should not be contented. The attackers may find another channel to distribute the malware. Furthermore, the achievement of these attacks may stimulate other groups to create Mac OS X ransomware variants.

• Rini Thomas