KeRanger Mac ransomware is a version of Linux ransomware

  • Liam Tung (CSO Online)
  • 09 March, 2016 09:53

The first fully functioning Mac ransomware is actually derived from the first notable piece of ransomware for Linux servers, but the decryption tools available to Linux victims may not be delivered for Macs.

According to security firm Bitdefender, trojanised Mac torrent client installer known as KeRanger is “virtually identical” to the fourth version of Linux.Encoder, a trojan that has been doing the rounds on Linux servers since the beginning of the year.

“The encryption functions are identical and have same names: encrypt_file, recursive_task, currentTimestamp and createDaemon to only mention a few. The encryption routine is identical to the one employed in Linux.Encoder,” said Catalin Cosoi, chief security strategist at Bitdefender.

Linux.Encoder emerged late last year, taking advantage of poorly configured Linux web servers to encrypt files and shake down admins for a few hundred dollars. The ransomware was quickly iterated on but BitDefender researchers have in some instances been able to provide tools to decrypt files locked by the trojan.

It was expected the enterprising developers would try to improve the Linux ransomware, so it’s not so surprising to see a pivot to Macs.

While BitDefender has developed tools to help victims of Linux.Encoder unlock encrypted files and KeRanger is basically the same as it, the security firm is reluctant to develop the same tool to unscramble Mac files.

It’s not for a lack of sympathy for victims of KeRanger, but BitDefender chief security researcher, Alex Balan, told CSO Australia, that developing such a tool may ultimately benefit the makers of KeRanger.

“If were to invest in decryption tools for KeRanger, we would be giving the developers an upper hand and that wouldn’t necessarily be good for other [Mac] users,” he said.

Besides that, BitDefender hadn’t received a single request by KeRanger victims for assistance decrypting files, said Balan, where as it did receive multiple requests from admins whose servers were infected with Linux.Encoder.

Balan said BitDefender had released decryption tools for the first two versions of Linux.Encoder, but was still working on tools for versions three and four.

“We want to see how this plays out,” Balan said, referring to the actual number of KeRanger victims and whether there is any demand for a similar tool to unlock files.

The KeRanger Mac ransomware, discovered last Friday by Palo Alto Networks, was bundled with an installer file for the Mac BitTorrent client Transmission that was signed using a legitimate Apple-approved developer certificate, though not Transmission's developer certificate.

Apple revoked the certificate on Friday to stop further installs. Transmission told Forbes yesterday that about 6,500 Macs had installed the infected file in the few hours between it becoming available and Apple's and Transmission's efforts to neuter it.

While that is a low number compared to some variants of Windows ransomware, KeRanger may have infected more machines than Linux.Encoder did over three months.

It also appears the makers of KeRanger are working on a way to encrypt Time Machine backup files, which would prevent users from recovering backed up data. Still, attacking networked storage isn’t anything new for Windows ransomware attackers.

Microsoft recently stressed the best way to protect recovery files and databases from ransomware is by taking the “pre-defence” measure of backing up to disconnected or remote storage. That means backing up to say a flash drive once a week and then unplugging it from the PC.

Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW