Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

KeRanger OS X Ransomware Support and Help Topic - README_FOR_DECRYPT.txt


  • Please log in to reply
11 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:55 AM

Posted 07 March 2016 - 09:34 AM

This topic is to support those who have been infected with the OS X ransomware called KeRanger. KeRanger is a ransomware that was distributed using a maliciously altered copy of the Transmission bittorrent client. For those who downloaded Transmission between March 4th and end of the day March 6th, then you may be infected by KeRanger.

When first installed, KeRanger will run in the background and then kick in 3 days later. Once started it will scan your computer for targeted file extensions and encrypt them using AES Encryption.

At this time there is no known way to decrypt the files for free.

Detailed analysis can be found here: Information about the KeRanger OS X Ransomware and How to Remove It.
 

readme_for_decrypt.txt.jpg



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:55 AM

Posted 07 March 2016 - 10:01 AM

Do we know if filenames are altered, or is this another one that's hard to determine the magnitude of affected files? I'm interested in seeing a few samples of encrypted files if someone has some (for archiving and analysis).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 nintendo1889

nintendo1889

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 07 March 2016 - 10:07 AM

Do we know if filenames are altered, or is this another one that's hard to determine the magnitude of affected files? I'm interested in seeing a few samples of encrypted files if someone has some (for archiving and analysis).

 

I agree. I would like to know the filename pattern and extensions it uses, to protect our file servers, write custom mcafee vse rules, etc....


Edited by nintendo1889, 07 March 2016 - 10:08 AM.


#4 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:55 AM

Posted 07 March 2016 - 11:02 AM

Writing up a detailed analysis now, but encrypted files are changed to .encrypted.

#5 nintendo1889

nintendo1889

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:55 AM

Posted 07 March 2016 - 04:48 PM

Writing up a detailed analysis now, but encrypted files are changed to .encrypted.

Good, I already have a *.encrypted rule.



#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:55 AM

Posted 07 March 2016 - 05:15 PM

Posted some analysis here:

Information about the KeRanger OS X Ransomware and How to Remove It.

#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:55 AM

Posted 07 March 2016 - 05:28 PM

Very interesting, thanks for the analysis.

 

Does it actually encrypt the whole file, or only part of it? Also, is there a header added onto the file? I'd be interested in seeing a before/after just for signature archiving.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:55 AM

Posted 07 March 2016 - 05:34 PM

Found the analysis by Palo Alto Networks may have some more technical details on what I was asking.

 

http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

 

This part sounds scary if they pull it off.

 

 

 

Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 Lewis80

Lewis80

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 21 May 2016 - 10:44 PM

Hi,

i uploaded files for testing it says that this type can be decrypted 

 

what do i do from here?



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:55 AM

Posted 22 May 2016 - 09:06 AM

More likely you were hit by Crypt0L0cker if your files have .encrypted appended. KeRanger was short lived and only infected Macs.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 cybercynic

cybercynic

  • Members
  • 557 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:07:55 AM

Posted 22 May 2016 - 08:04 PM

FWIW, If there's any KeRanger out there, Dr. Web says they can decrypt it. Unless you have one of their security products on the date of infection, it will cost you. (Probably 150 Euros)

We are drowning in information - and starving for wisdom.


#12 Lewis80

Lewis80

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 23 May 2016 - 12:23 AM

More likely you were hit by Crypt0L0cker if your files have .encrypted appended. KeRanger was short lived and only infected Macs.

Yeah sorry about that.. I read about it after I posted. Just that it came up somehow for keRanger when I uploaded files for testing. Not sure why.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users