Mac OS X Ransomware – KeRanger
First example of a complete functional Mac OS X ransomware is KeRanger and first Mac OS X ransomware malware distributed with a signed software update from a genuine developer, though not written first on Mac OS X. As per Bitdefender Labs, it seemed to be a ported version of the Linus.Encoder ransomware which makes it the first cross platform ransomware. Linux Encoder is said to be in its fourth version and has successfully infected Linux servers to some extent though it is still susceptible to key recovery as per a blog by Bitedefender Labs in January.
By `Key recovery’ it means that Bitdefender tends to find the decryption key without the victim paying the ransom. According to Bitdefender Labs blog entry, KeRanger is said to be trojaned Transmission BitTorrent client update and looks virtually similar to the present Linux.Encoder version. The blog quotes Catalin Cosoi, Chief Security Strategist at Bitdefender stating that `theencryption functions seems identical and have the same names: encrypt file, recursive task, currentTimestamp and createDaemon to mention a few. The routine of encryption is similar to the one engaged in Linus.Encoder.
Signing Malware with Genuine Code
One of the foremost variations the KeRanger authors made to the Mac version was the signing of the ransomware malware with a genuine code signing key allotted by Apple for the Mac App Store wherein these keys were whitelisted by the Mac Gatekeeper service. The key that are utilised for KeRanger has been listed as belonging to a Turkish company and does not seem to be the same which was earlier used by the Transmission program.
Bitdefender has cautioned that this could be an indication of things to look forward to for malware, for non-Windows systems. Till date, attempts at Mac ransomware malware have not continued possibly due to the perpetrators not considering the money they made, was worth the efforts. KeRanger when detected did not do a lot of damage, as reported by Stan Schroeder for Masable. `Discovered March 4’, in a version of the BitTorrent client Transmission, the KeRanger malware infects the host machine, encrypts some of the contents and ask for bitcoins in exchange of decrypting the owner’s data.
KeRanger Similar to Linux.Encoder 4
Schroeder reported that around 6,500 users downloaded the infected version of Transmission and since Apply had quickly cancelled the digital certificate essential to install the file, several of the users who had downloaded the infected version of Transmission had perhaps been unable to install it. The other known type of OS X ransomware is the FileCoder which was discovered in 2014 though it was incomplete when it was discovered.
Senior E-Threat analyst Bogdan Botezatu of Bitdefender has suggested two scenarios on how it could have occurred. Either the Linux.Encoder developer have decided to expand the code to support Mac on his own or he could have licensed the code to another cybercrime group which could have specialized in Mac OS X systems. The company has also stated that KeRanger seems to be a close copy of Linux.Encoder.4, though ported for Mac architectures. Linux.Encode 4 appeared at the start of the year after Linux.Encoder 3 had failed and continues to create havoc among website owners. So far, there is no Bitdefender decryption tool for Linux.Encoder 4. However Bitdefender have been contacted and updates if any will be made available with a link.