Home Malware Programs Ransomware KeRanger Ransomware

KeRanger Ransomware

Posted: January 15, 2019

The KeRanger Ransomware is a file-locking Trojan that targets OS X machines and encrypts media such as pictures, audio, video and documents. The threat uses both RSA and AES encryption for guaranteeing that the information is secure, although current releases don't target the operating system's default backups. Have your anti-malware solution of preference remove the KeRanger Ransomware before restoring your files from any appropriate backup.

File-Sharing the Wrong Kinds of Files

A rare example of an OS X-targeting Trojan is becoming available for observation with the recent compromise of a torrenting client. The Transmission BitTorrent installer, an open-source project, was infected by unknown methods, leading to the dropping of a hibernating the KeRanger Ransomware onto the victims' computers. Besides its hibernating state, which is unusually lengthy, the KeRanger Ransomware is what malware experts would consider as being a standard threat of its kind, boasting randomized encryption and cryptocurrency-oriented extortion.

The KeRanger Ransomware includes a (now revoked) digital certificate and a fake RTF file in its installation disguise, although its real format is a packed executable. Depending on the version of the program, it may or may not contact its Command & Control server in five-minute intervals while it hibernates for three days. Only after this period elapses will the KeRanger Ransomware conduct the encryption attack, which uses an RSA key and an additional layer of randomization with an AES algorithm.

The KeRanger Ransomware attacks many of the formats that malware experts already noted as being at risk against file-locker Trojans: DOCs, JPGs, MP3s, MP4s, AVIs, spreadsheets and slideshows, archives like ZIP or RAR and databases. The KeRanger Ransomware also blocks certificate (PEM) and e-mail (EML) files. Also, the 'Users' files are targets regardless of their extensions, and the results bear 'encrypted' extensions in their names.

Getting Out of the Range of New Mac Problems

The cyber-security community is developing appropriate definitions for counteracting the KeRanger Ransomware. OS X should warn the user about compromised versions of Transmission, and the site's admins have removed the Trojan-delivering variants of their installers. The users also are fortunate, in that the KeRanger Ransomware fails to take a usual precaution for its type of payload: wiping the OS's backups. Without any updates, your Time Machine backups should be available for restoring any encrypted media without any risks.

Users who are in doubt of the safety of their version of the torrenting application should search for the 'General.rtf' file that is the mislabeled executable for the KeRanger Ransomware. Other symptoms include the 'kernel_service' process and a TXT ransom message that asks for one Bitcoin for the decryptor. Most conventional, OS X-compatible anti-malware solutions should delete the KeRanger Ransomware, as well as the infected torrenting application, automatically.

Some of the KeRanger Ransomware's internal, unfinished functionality suggests to malware analysts a possibility of the Trojan's patching in a backdoor feature. As if it's not threatening enough, as it is, the future of the KeRanger Ransomware campaign could include giving remote attackers the keys to your computer, along with your files.