KeRanger Ransomware

KeRanger Ransomware

Mac users, even you’re not left unstained by ransomeware attacks. The World’s 1st fully operational ransomware has hit on most advanced and superior operating system Mac OS X severely. Ransomware is one of the quickest developing cyber threats that encrypts all the essential documents and files on infected computers and then demands ransom amount from victims in BitCoins so that they can reattain access to their files. Although, Ransomware has been attacking Windows systems and smartphones for sometimes, however cyber crooks have grown leaps and bounds and attacked Mac OS X.¬†Security Experts from Palo Alto Networks have found out the very first known OS X Ransomware which named as KeRanger Ransomware that is assaulting Apple’s Mac systems rigorously. The KeRanger Ransomware mostly comes bundled into the system along with famous Mac App Transmission which is a free and open source Bit torrent for Macintosh with Millions of active users.

Here’s How KeRanger Ransomware Operates

Once a user installs the infected version of the App, KeRanger Ransomware virus sinks itself in the victims system and encrypts the hard drive that includes essential documents, pictures and videos files, as well as email archives and entire databases but only after 3 days of infiltration. Then the KeRanger Ransomware demands to pay 1 Bitcoin ( $410) from the user as the ransom amount in order to decrypt the hard drive files and give access to your essential files. The virus sets a 72 hour expulsion window except that the payment is made.

Source:http://thehackernews.com/2016/03/mac-os-x-ransomware.html

The KeRanger Ransomware noxious Transmission contains an added file classified as General.rtf in the Transmission.app/Contents/Resources directory. This threat uses an icon which appers like a normal RTF file however it is a Mach-O format executable file wrapped with UPX 3.91. As soon as user click this infected App, its mobbed executable Transmission.app/Content/MacOS/Transmission will copy this General.rtf file to ~/Library/kernel_service and execute this kernel_service before any user interface shows up.

Kernal Service

Image Credits : Palo Alto Networks

There are more than 300 various extensions Infected by KeRanger Ransomware including:

  • Documents: .txt, .csv, .doc, .docx, .txt, .csv, .docm, .dot, .ppsm, .ppsx, .dotm, .ppt, .pptx, .potx, .potm, .pptm, .xlsm, .xlt, .pot, .potx, .potm, .pps, .xls, .xlsx, .xltm, .xltx, .rtf, .tex
  • Images: .jpg, .jpeg,
  • Audio and video: .wav, .flac, .mp4, .mp3, .avi, .mpg,
  • Archives: .zip, .gzip, .rar., .tar,
  • Source code: .cpp, .asp, .java, .lua, .csh, .class,
  • Database: .db, .sql

ransom note

Do not give credulity, haste and distraction because latter you will regret. If you pay up, you risk your private and confidential data such as bank credentials, passwords, emails IDs etc to foreign access. Do you think it will end well for you? Barely. Therefore, you do not pay! It should be noted that there is, however, a glimmer of hope to recover your deleted, corrupted or encrypted Mac files by using a prominent third-party tool. Fortunately, there is still a way to Recover Encrypted Or Corrupted Mac Files After KeRanger Ransomware Attack in simple and easy steps.

Examples of KeRanger Ransomware Infected Files:

  • 6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153 General.rtf
  • d1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1 Transmission-2.90.dmg
  • e3ad733cea9eba29e86610050c1a15592e6c77820927b9edeb77310975393574 Transmission
  • 31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9 General.rtf

    malicious executable RTF document

    Image Credits : Palo Alto Networks

How To Protect Yourself Against KeRanger Ransomware 

  1. The cyber experts recommended users to check for the presence of the following files in their Mac systems:
    /Applications/Transmission.app/Contents/Resources/General.rtf
    /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf
    If any of the above-mentioned file exists, it means that Transmission App is likely infected with KeRanger Ransomware.
  2. The vicious virus also has a process name of .kernel_complete, kernel_pid, kernel_service or .kernel_time that can be killed and saves its executable in the ~/Library directory. Remove these files if found
  3. Upgrade to Version 2.91 of Transmission–¬†Uninstall the 2.91 Transmission App version and upgrade to a clean 2.92 version of the software.

Reference:http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>