FANDOM


KeRanger Mac Ransomware (Transmission 2

KeRanger Mac Ransomware (Transmission 2.90)

KeRanger (also called OSX.KeRanger.A) is a ransomware trojan for MacOS. It was released after the site of the Transmission BitTorrent Client was hacked, with the hackers uploading a new version of Transmission containing the trojan. The file was briefly digitally signed, allowing it to bypass security warnings from Apple Gatekeeper.

The signature was later revoked by Apple, and it is stated before running that it contains malware. There was also an update notice in later versions of Transmission saying that an upgrade is highly recommended and that the new update will automatically remove the malware if the system not already encrypted.

Payload

The payload of the ransomware is contained in a .rtf (Rich Text Format) document containing a Mach-O executable, packed with UPX. dropped to the Resources folder. After running the client, the trojan would run in the background of the system. After three days, it will begin to encrypt multiple file types on the system, including documents, text files, and audio. After encrypting a directory, it drops a "README_FOR_DECRYPT.txt" file to it containing a link to a .onion site, a bitcoin address, and a note stating a payment of 1BTC is required to decrypt them.

Linux.Encoder

It is believed that KeRanger is a partially re-written version of the Linux.Encoder.1 ransomware. This was first discovered by BitDefender decompiling the ransomware and seeing similarities in most of the algorithms.

Detection

The Ransomware was first discovered by Palo Alto Networks, it was then added to their malware database, and was written about on their blog two days later.

Most AV vendors catering to OSX have now added KeRanger to their databases.