For the first time, a ransomware called KeRanger has been developed for the Mac OS X operating system and has been actively infecting users. This ransomware was first discovered by Palo Alto Networks on March 4th when they received reports that the legitimate Transmission Bittorrent client was replaced with a malicious version.  

When users downloaded the malicious version of Transmission, the bundled KeRanger ransomware was also installed where it sleeps for 3 days before awakening and encrypting the victim's Mac.  As today is the third day since this malware was released, many victim's will begin to realize that their files have been encrypted.

Once a user's files are encrypted, the ransomware will also create ransom notes that explain what has happened to the files. These notes also provide instructions that the victim must pay 1 bitcoin to purchase a decryptor and how they can make this payment. 

Apple has already revoked this certificate and added definitions for the malicious version of Transmission in their XProtect antimalware software, so user's are no longer able to install this particular version of the application. Furthermore, a new version of Transmission was released that detects and removes this ransomware.

Transmission Homepage Message
Transmission Homepage Message

It is currently unknown how the files on Transmission's website were altered, but starting on March 4th, 2016 the legitimate download was replaced with a malicious version that installed KeRanger. Furthermore, this malicious version was digitally signed using a valid certificate for a Turkish company. This certificate ended with the (ID Z7276PX673).

Developer ID used to sign Transmission affected by KeRanger
Developer ID used to sign Transmission affected by KeRanger

For those who are not interested in the technical details regarding this ransomware, you can skip to the section on how to remove KeRanger. For those who wish to discuss the KeRanger ransomware or have questions regarding it, we also have a discussion and help topic here: KeRanger Support and Help Topic.

The KeRanger Encryption Process

When a user installed and executed the malicious version of the Transmission application, an included file called General.rtf was copied to ~/Library/kernel_service and executed. General.rtf is the main executable for the KeRanger ransomware and was masquerading as a RTF document. Once this file is copied to kernel_service and executed it will create two files called ~/Library/.kernel_pid and ~/Library/.kernel_time. The kernel_pid file contains the process ID for the running kernel_service process and the .kernel_time file will contain a timestamp of when the ransomware was first executed.

General.rtf
Malicious General.rtf File

KeRanger will then sleep for three days and by comparing the current time with the timestamp stored in the .kernel_time file, will awaken after three days have passed.  Once awakened, KeRanger will contact one of three TOR Command & Control servers and send information about the machine and receive an encryption key that it will use to encrypt the victim's files. The known Command & Control servers that KeRanger attempts to connect to are:

lclebb6kvohlkcml.onion.link
lclebb6kvohlkcml.onion.nu
bmacyzmea723xyaz.onion.link
bmacyzmea723xyaz.onion.nu
nejdtkok7oz5kjoc.onion.link
nejdtkok7oz5kjoc.onion.nu

Once an encryption key is received from the Command & Control server, KeRanger will scan all of the files under the the /Users and /Volumes folders for files that contain certain extensions.  Due to its scanning of the /Volumes folder, any external drives plugged into the computer would also be scanned and encrypted. When a matching file is found it will encrypt it using AES encryption and add the .encrypted extension to the filename. For example, test.jpg would become test.jpg.encrypted.

Encrypted Documents
Encrypted Documents

The file extensions targeted by KeRanger are:

.3dm, .3ds, .3g2, .3gp, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asp, .asx, .avi, .back, .backup, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkf, .bkp, .blend, .bpw, .cdb, .cdf, .cdr, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .class, .cls, .cmt, .cnv, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .db, .db3, .dbf, .dbr, .dbs, .dc2, .dcr, .dcs, .dcx, .ddd, .ddoc, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .ebd, .edb, .eml, .eps, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fm, .fp7, .fpx, .fxg, .gdb, .gray, .grey, .grw, .gry, .hbk, .hpp, .ibd, .idx, .iif, .indd, .java, .jpe, .jpeg, .jpg, .kdbx, .kdc, .key, .laccdb, .lua, .m4v, .maf, .mam, .maq, .mar, .maw, .max, .mdb, .mdc, .mde, .mdf, .mdt, .mef, .mfw, .mmw, .mos, .mov, .mp3, .mp4, .mpg, .mpp, .mrw, .mso, .myd, .ndd, .nef, .nk2, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx1, .nx2, .nyf, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .one, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pages, .pas, .pat, .pbo, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pip, .pl, .plc, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .ptx, .pub, .puz, .py, .qba, .qbb, .qbm, .qbw, .qbx, .r3d, .raf, .rar, .rat, .raw, .rdb, .rm, .rtf, .rwz, .sas7bdat, .say, .sd0, .sda, .sdf, .snp, .sql, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .txt, .vob, .vsd, .vsx, .vtx, .wav, .wb2, .wbk, .wdb, .wll, .wmv, .wpd, .wps, .x11, .x3f, .xla, .xlam, .xlb, .xlc, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xpp, .xsn, .yuv, .zip, .tar, .tgz, .gzip, .tib, .sparsebundle

In each folder that a file is encrypted, KeRanger will also create a ransom note titled README_FOR_DECRYPT.txt. This ransom note contains information on what happened to the victim's files and instructions on making the payment.

README_FOR_DECRYPT.txt Ransom Note
README_FOR_DECRYPT.txt Ransom Note

Inside the ransom note is the address for the TOR payment site that the victim's must connect to in order to pay the ransom and download the decryptor. This payment server is described in more detail in the next section.

Finally, KeRanger will create a file called ~/Library/.kernel_complete that contains the string "do not touch this". The presence of this file is to probably indicate that the computer has already been encrypted and that further executions of the ransomware do not encrypt the same data another time.

The KeRanger Payment Site

When a Mac is infected, KeRanger will create ransom notes called README_FOR_DECRYPT.txt in every directory that a file was encrypted. This ransom note will explain that the files have been encrypted and the only way to get them back is to pay a 1 bitcoin ransom. In order to pay the ransom, the victim needs to go to the fiwf4kwysm4dpw5l.onion site, make a ransom payment, and then download their decryptor.

When a victim goes to this site they will be shown a login prompt where they will need to enter the bitcoin address that was listed in the ransom note.

Payment Server Login Page
Payment Server Login Page

Once the victim logs in with their assigned bitcoin address they will be shown a page that contains a list of support requests that were created by the victim. At the top of every page on the payment site will also be the options to perform a free decryption of one file, the ransom amount that you must pay, the bitcoin address you must send the payment to, and how much has been paid. 

Payment Server Support Tickets Page
Tickets Page

If a user clicks on the Decrypt 1 file free option, they can upload an encrypted file and the service will decrypt it for free.  In my tests this feature is currently not working correctly.

Broken Free Decryption Service
Broken Free Decryption Service

In the navigation header is also a link to a FAQ page where there are answers to frequently asked questions. 

FAQ
FAQ

Finally, if a victim pays the ransom, the button labeled Download decryption pack will be enabled so that a victim can download the decryptor for their specific computer. Please note, that decryptors for one computer will not work on another victim's computer.

How to remove KeRanger

I have put together a tool that can be used to assist in removing the KeRanger infection from a Mac. When executed, this tool will quarantine all the files associated with the KeRanger infection and also create a list of all encrypted files on the Mac.  It will not decrypt the encrypted files for you. Unfortunately, at this time the only way to recover your files is through a backup or by paying the ransom.

To use the KeRanger Removal Tool, please download it from the following location and save it on the infected Mac.

img
KeRanger Removal Tool Download

Once you download the tool simple double-click on the KeRanger-Removal-Tool.zip file to extract the application. Once the application is extracted, double-click on it to start the program.

KeRanger Removal Tool
KeRanger Removal Tool

To start the program, click on the I Agree button and the program will begin to search for signs of the malicious version of Transmission, unmount it if detected, quarantine the KeRanger files, and then create a list of the encrypted files on your Mac.  When it is done, there will be 2 new files on your desktop called keranger-remover.txt and encrypted_files_list.txt.

The Keranger-remover.txt file is a log file that describes what has been detected on your computer and the encrypted_files_list.txt file will contain a list of all the encrypted files on your computer.  Finally, there will be a folder on your desktop called keranger-quarantine, which contains all of the files removed by the tool. Please note that some of the KeRanger files start with a period (.) and will be hidden in Finder. The only way to view these quarantined files is in Terminal.

If you do not plan on paying the ransom, you can just delete the app and quarantine folder from your computer. If KeRanger was detected, you should also remove the Transmission application as well.

On the other hand, if you do plan on paying the ransom, you should print and keep one copy of the ransom note as you will need that to pay the ransom. You can then delete everything else.

If you need any help with this procedure, please feel free to ask in our KeRanger Support and Help Topic.

Files associated with KeRanger Ransomware

~/Desktop/README_FOR_DECRYPT.txt
~/Library/.kernel_complete
~/Library/.kernel_pid
~/Library/.kernel_time
~/Applications/Transmission.app/Contents/Resources/General.rtf
/Applications/Transmission.app/Contents/Resources/General.rtf
/Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf