KeRanger OS X Ransomware Support and Help Topic - README_FOR_DECRYPT.txt

This topic is to support those who have been infected with the OS X ransomware called KeRanger. KeRanger is a ransomware that was distributed using a maliciously altered copy of the Transmission bittorrent client. For those who downloaded Transmission between March 4th and end of the day March 6th, then you may be infected by KeRanger.

When first installed, KeRanger will run in the background and then kick in 3 days later. Once started it will scan your computer for targeted file extensions and encrypt them using AES Encryption.

At this time there is no known way to decrypt the files for free.

Detailed analysis can be found here: Information about the KeRanger OS X Ransomware and How to Remove It.
 

Do we know if filenames are altered, or is this another one that's hard to determine the magnitude of affected files? I'm interested in seeing a few samples of encrypted files if someone has some (for archiving and analysis).

Do we know if filenames are altered, or is this another one that's hard to determine the magnitude of affected files? I'm interested in seeing a few samples of encrypted files if someone has some (for archiving and analysis).

 

I agree. I would like to know the filename pattern and extensions it uses, to protect our file servers, write custom mcafee vse rules, etc....

Edited by nintendo1889, 07 March 2016 - 10:08 AM.

Writing up a detailed analysis now, but encrypted files are changed to .encrypted.

Writing up a detailed analysis now, but encrypted files are changed to .encrypted.

Good, I already have a *.encrypted rule.

Posted some analysis here:

Information about the KeRanger OS X Ransomware and How to Remove It.

Very interesting, thanks for the analysis.

 

Does it actually encrypt the whole file, or only part of it? Also, is there a header added onto the file? I'd be interested in seeing a before/after just for signature archiving.

Found the analysis by Palo Alto Networks may have some more technical details on what I was asking.

 

http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

 

This part sounds scary if they pull it off.

 

 

 

Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.

Hi,

i uploaded files for testing it says that this type can be decrypted 

 

what do i do from here?

More likely you were hit by Crypt0L0cker if your files have .encrypted appended. KeRanger was short lived and only infected Macs.

FWIW, If there's any KeRanger out there, Dr. Web says they can decrypt it. Unless you have one of their security products on the date of infection, it will cost you. (Probably 150 Euros)

More likely you were hit by Crypt0L0cker if your files have .encrypted appended. KeRanger was short lived and only infected Macs.

Yeah sorry about that.. I read about it after I posted. Just that it came up somehow for keRanger when I uploaded files for testing. Not sure why.