FANDOM


KeRanger (also called OSX.KeRanger.A) is a ransomware trojan for MacOS. It was released after the site of the Transmission BitTorrent Client was hacked, with the hackers uploading a new version of Transmission containing the trojan. The file was briefly digitally signed, allowing it to bypass security warnings from Apple Gatekeeper. The Ransomware was first discovered by Palo Alto Networks, it was then added to their malware database, and was written about on their blog two days later.

The signature was later revoked by Apple, and it is stated before running that it contains malware. There was also an update notice in later versions of Transmission saying that an upgrade is highly recommended and that the new update will automatically remove the malware if the system not already encrypted.

Payload

The payload of the ransomware is contained in a .rtf (Rich Text Format) document containing a Mach-O executable, packed with UPX. dropped to the Resources folder. After running the client, the trojan would run in the background of the system. After three days, it will begin to encrypt multiple file types on the system, including documents, text files, and audio. After encrypting a directory, it drops a "README_FOR_DECRYPT.txt" file to it containing a link to a .onion site, a bitcoin address, and a note stating a payment of 1BTC is required to decrypt them.

It is believed that KeRanger is a partially re-written version of the Linux.Encoder.1 ransomware. This was first discovered by BitDefender decompiling the ransomware and seeing similarities in most of the algorithms.