KeRanger Mac Ransomware (Transmission 205:47

KeRanger Mac Ransomware (Transmission 2.90)

KeRanger (also called OSX.KeRanger.A) is ransomware trojan for MacOS. It was released after the site of the Transmission Bittorrent Client was hacked, with the hackers uploading a new version of Transmission containing the trojan. The file was briefly digitally signed, allowing it to bypass security warnings from Apple Gatekeeper.

The signature was later revoked by Apple, and it is stated before running that it contains malware. There was also an update notice in later versions of Transmission saying that an upgrade is highly recommended and that the new update will automatically remove the malware if the system not already encrypted.

Payload Edit

The payload of the ransomware is contained in a .rtf (Rich Text Format) document containing a Mach-O execuatable, packed with UPX. dropped to the Resources folder. After running the client, the trojan would run in the background of the system. After three days, it will begin to encrypt multiple file types on the system, including documents, text files, and audio. After encrypting a directory, it drops a "README_FOR_DECRYPT.txt" file to it containing a link to a .onion site, a bitcoin address, and a note stating a payment of 1BTC is required to decrypt them.

Linux.Encoder Edit

It is believed that KeRanger is a partially re-written version of the Linux.Encoder.1 ransomware. This was first discovered by BitDefender decompiling the ransomware and seeing similarities in most of the algorithms.

Detection Edit

The Ransomware was first discovered by Palo Alto Networks, it was then added to their malware database, and was written about on their blog two days later.

Most AV vendors catering to OSX have now added KeRanger to their databases.

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.