Share, , Google Plus, Pinterest,


Posted in:

What You Should Know About KeRanger Mac Ransomware Virus

KeRanger is the first working Mac ransomware virus, and it’s not theoretical, it’s real and in the wild. The attacked Transmission app was spread from the official Transmission webpage earlier this spring. It had a completely different code signature compared to the original one formerly issued to sign the Transmission app. It indicates the app in itself was changed and re-signed by the cyber attacker.

The revamped duplicate of Transmission contains a file called General.rtf that is, in fact, an executable but not the rich-text document it claims to be. Once the app is started, this file is reproduced to another file called kernel_service in the user Library folder. This kernel_service process continuously runs in the background environment, as well as generates more processes and files among which is kernel_time. This file possesses a timestamp, utilized to determine when three days have passed. After three days, the ransomware virus “explodes” and starts encrypting all documents.

It is going to encrypt every single file contained in the Users folder, together with data possessing typical document extensions located in the Volumes folder. This means that files situated on attached external hard disk drives, servers, etc. In each and every directory where files have been locked, a file dubbed README_FOR_DECRYPT.txt is formed, bearing guidelines for how one can purchase a decryption key.

The point that this ransomware virus will encrypt external hard disks and linked network volumes signifies it may encrypt backups such as Time Machine backups located on a Time Capsule. Even worse, there exists a smallscript in the app named _encrypt_timemachine. This indicates your backups, that you may wish to preserve unchanged in case of a ransomware attack, may as well fall prey to this virus.

Surprisingly, there are absolutely no persistence techniques used by this virus. The kernel_service process will continue working, however if you rereboot the PC, it will not launch again automatically. You should re-open the affected Transmission app to be able to re-activate the malicious process.

Apple has equally introduced detection of this ransomware virus to revoke the developer certificate utilized to sign the dangerous copy of Transmission. This implies new attacks are no longer possible without an upgrade of the KeRanger virus. Nevertheless, it’s worth mentioning that in case you launched the contaminated copy of Transmission on your Apple computer at least once, Apple detection procedures will not protect you from starting the infection ever again. Your Apple computer will regard it secure at this stage, as it has been successfully launched earlier.

Lots of people might be lured to pay the ransom to return their documents. Yet, it’s a terrifically bad approach. In the Windows environment, paying out the ransom often leads to receiving a key that may not properly decrypt the data files. On the other hand, it additionally can lead to transmitting funds to the hackers but receiving absolutely nothing in exchange, or getting a key that doesn’t really operate correctly just because the ransomware was poorly-written.

For those who have installed the Transmission app lately, it’s best to remove the app and restart your computer. This will put a stop to re-activation of the KeRanger virus.

It’s not the very first time that Apple customers have been attacked via a torrent client, but in past times this kind of problems have only been related to adware. Think thoroughly before dealing with torrent clients in the future.