Sophos Cloud Optix
Thanks to Anna Szalay and Xinran Wu of SophosLabs for their behind-the-scenes work on this article.
It’s happened: there’s now ransomware for the Mac, and it’s called OSX/KeRanger-A.
(And, no, if you are a Windows user you are not allowed to be smug, because an injury to one operating system is an injury to all.)
The crooks have largely copied the ransomware formula that works on Windows.
Here’s what the crooks and their malware do:
- Trick you into opening a file you are inclined to trust.
- When you do so, install and run the ransomware program.
- Call home to one of a list of control servers for an encryption key.
- Scramble files in your home directory and on currently-mounted volumes, adding the extension .encrypted each time.
- Put a file called README_FOR_DECRYPT.txt in every directory where a file was encrypted.
What happens if you get infected?
The malware will scramble everything in can find in your home directory (that means in and below /Users/YourNameHere), and a long list of file types on all mounted volumes such as USB keys, removable disks and network shares (on OS X, that’s everything under /Volumes).
If you try to open any of the .encryptedfiles, you’ll be confronted with random-looking binary garbage.
In fact, because your files have been strongly encrypted with random keys using the AES algorithm, they are indistinguishable from random garbage.
The random AES keys are then encrypted with an RSA public key downloaded from the crooks; the crooks keep the corresponding RSA private key to themselves, so they end up with the master key to all your files.
If you don’t have a backup from which you can restore your scrambled files, the only practical way to get them back, as far as we can see, is to follow the instructions in the README_FOR_DECRYPT.txt file:
The URL you are sent to is a .onion address, a website visible only inside Tor, better known as the hidden web or the dark web:
If you login with your personal authentication ID, you’ll get to the main pay page, where you can see how much you’ve deposited so far; once you’ve paid up, the [Download decrypt pack] button will light up, and you can fetch the software and the decryption key you need to get your files back:
We haven’t paid up to see what happens, so we can’t tell you whether we think you’d receive an unscrambling key if you were to pay. We recommend that you don’t pay, but if you do, we understand and respect your choice. (Itβs easy to be high and mighty when itβs not your data on the line!)
There’s a Frequently Asked Questions page:
There are even “decrypt one free” and “ask us a question” options, too:
The idea of the “decrypt one free” feature, now commonplace in Windows ransomware, is to try to convince you that the crooks really do have the decryption key for your files, or else they wouldn’t be able to unscramble a file randomly chosen by you.
How does this ransomware arrive?
Most Windows ransomware in recent months arrives via email, embedded in Word documents (.DOC files) that are attached to the email.
This one has been distributed differently – so far, at any rate.
The crooks hacked into the download server of a popular BitTorrent client called Transmission, created a fake version numbered 2.90, and published it as an official download on the site.
The Transmission app itself was very slightly modified to include an additional snippet of code to run the malware, which was added to the Transmission package under the innocent-looking name General.rtf.
The General.rtf file is, in fact, a regular OS X executable file, and it is launched under the innocent-looking name kernel_service by the hacked Transmission app.
After waiting for 259,200 seconds (72 hours, or three days), the ransomware triggers and the damage listed above is carried out.
Note that the ransomware program doesn’t try to acquire administrative powers, because it doesn’t need them to access your files: if you can write to them, so can any malware that you launch by mistake.
That means you won’t see any dialogs popping up asking for your administrative password. (Some Mac users still wrongly think that a password dialog is an inevitable side-effect of a malware infection, and is thus a handy way to spot that something malicious is about to happen – but that’s not correct.)
What to do?
- Consider running a Mac anti-virus that can automatically scan the files you download before you run them for the first time, and that can check out the websites you try to access before your browser gets to them.
- Make regular backups and keep a recent backup copy offline, and preferably also offsite. OS X’s Time Machine backup software can create encrypted backups, so even if the disk they’re stored on is stolen, your backup is safe from prying eyes. That means you can safely exchange backup disks with a friend or family member on a regular basis, so that you each provide the other’s offsite storage.
Sophos products detect and block this malware as OSX/KeRanger-A.
This article claims files are encrypted with a strong AES algorithm but the screen shots from the README state the files are encrypted with 2048-bit RSA not AES.
To keep the article simple, I avoided too much detail, which may have ended up being confusing.
The ransomware encrypts the files using AES, and then encrypts the AES keys with RSA. RSA is too slow to encrypt whole files, so this sort of ‘hybrid cryptosystem’ is almost always used instead. The reason for using RSA at all is that it’s a dual-key encryption algorithm, where the public key locks your data and then only the private key can unlock it. Therefore if the crooks generate the public-private key pair on their server, and only ever send the public key, they really do have the one and only key to your castle π
See…
https://nakedsecurity.sophos.com/2016/03/03/got-ransomware-what-are-your-options/
…in the section “Cracking the encryption.”
Technically, then, the files are encrypted with AES, but unless you have the RSA private key, you can’t unlock the AES keys to unlock the file. If the crooks cared aobut precision in documentation they could have written “files are protected by RSA”. But, then, they are happy to write “what gonna happen”, so precision in the written word is apparently not their strong point.
Would time machine be of any use? Maybe for this specific case, but generally, ransomware could just as well encrypt the backup.
Backup software like Time Machine is excellent, *but whatever you use, keep an offline copy*. Ransomware (or any other malware that reaches out and damages or steals files) that can access your backup drive can mess with your backup files. We recommend keeping an offline copy off-site as well – that protects you not only from cybercrooks but also from fire, flood, theft and so on. (If you keep your laptop and your backup drive in the same bag, chances are a thief will get both at the same time π
Regarding Time Machine, you mentioned that the ransomware triggers after 3 days. Hypothetically, is there anything that could be done if your only backup contained the dormant ransomware?
If you remove the malware from your computer (e.g. with Sophos Anti-Virus) then you are safe to mount your backup drive without fear of it getting scrambled while it’s mounted, and you can restore any damaged files from the backup.
Even if you accidentally restore the malware, it won’t hit you again unless you run it again…so consider doing another virus check immediately after restoring your files to find and remove any dormant copies that may have come across during the restore process.
And if you backup your files within that 72 hour period, your backup plan is equally screwed, right?
See elsewhere about the general desirability of off-line backups. Just relying on an always-accessible Time Machine volume on your Mac, or online Shadow Copies on Windows, is to leave your backup in harm’s way….
True, if you only take and keep one back up of data.
Better to use grandfather/father/son backups on a stand alone hard drive kept away from the computer.
Luckily, the ransomware didn’t reach my machine
Iβve had real problems with the Sophos Home which I downloaded to run across all of our PCβs cannot complete a scan. When it fails it also doesnβt terminate the process correctly, which I only discovered after having battery issues. My MAC was draining very quickly and I eventually tracked down the rogue process which was trying to keep running the scan. Iβve seen that this is a known issue and have now removed the software. The standalone AV element seems to work fine though
I’ve used Dropbox for ages as my “off site” backup of data files. It appears that because it’s an image of the “Dropbox” directory on my local disk, then Dropbox off site get encrypted too.
Yes? Or is it safe?
if you have a driver loaded that makes your cloud storage appear as a network shared directory, so that you can access the contents as if they were regular files, then ransomware can do the same and scramble them directly. If you have some sort of autosynch, as it seems you do, where changed files are backed up automatically, the same problem applies if you don’t stop either the ransomware or the synch program in time π
Many auto-synch backup systems keep multiple previous versions of a file, so you can roll back…if so, that might save you.
So my Dropbox files will be at risk is what I hear you saying.
I have a 500GB external USB drive that I just connected and set as the sole Time Machine backup. When this b/u finally finishes, I can turn it off knowing I have all my data and something that can be used to reinstall the entire El Capitan OS-X as it is today.
Sound OK?
Meanwhile, my 3TB Air Drive is shown in TM as “Available” but not selected. It is still powered up, and visible on my LAN.
Would it be safe enough to simply “eject” it, or can the malware mount it? If it can be mounted, I’d need to power-down.
You said “…OS Xβs Time Machine backup software can create encrypted backups…” But it doesn’t do automatically, does it? (I have FileVault turned off.) Or did you have some other encryption tool in mind? Which one?
Time Machine’s encryption is configured when you set up the backup in the first place. It doesn’t depend on you having File Vault enabled on your internal disk (and can have a different password if you do).
Dropbox has versioning enabled for all backed up files and automatically keeps backups of old versions of files that were changed for about 30 days (more if you’re a paying customer).
So if ransomware strikes your machine and everything on the Dropbox folder is encrypted and the encrypted files are synced to dropbox.com, you can still recover the old unencrypted versions of those files using their web interface.
This is just one of the many reasons why I love Dropbox π
Ah! One of those right-clicks that I didn’t notice. Works for files, but not for directories; guess strategy would need to compress all the files into one.
Good to know … Many thanks!
Compressing all files into one has the disadvantage that the version control then treats a change to *any* file in an archive as a change to the whole thing, making it much harder to use the version-tracking feature usefully. (How will you keep track of which file inside the archive triggered the change that required the entire new archive to be uploaded as a new version?)
Great article. The notion that Mac is safer than Windows must be cracked by Apple itself, otherwise Mac users won’t ever pull their collective heads out of the sand.
*You didn’t redact the url in the last picture in your article.
Thanks for [*]. I fixed that π
True. I cringe when I’m at the Genius Bar and overhear a Genius advising a customer that AV causes more problems than it’s worth. Apple should recommend AV vendors such as Sophos whose products don’t cause problems (though I’m a little on the fence with Web Protection). Apple used to recommend Virex, and I believe Disinfectant even farther back.
Is it possible to use CCC for a daily backup, but use an UNMOUNTED but permanently attached drive? So when the CCC script starts, it mounts the target, does the backup, then unmounts the target. Would that protect the target from crypto attack?
It would protect it from *this* ransomware (unless the malware struck while the drive was mounted π
It wouldn’t be foolproof, because in theory if your script could mount-write-unmount the external drive, then so could malware.
OTOH if your script were installed with different privileges to your regular account, malware would have to infect *and* perform some sort of elevation of privilege to attack the removable drive.
In such articles there’s usually a statement of the form “Sophos Endpoint Protection stops OSX/KeRanger-A.” I didn’t see that–only the statement that Sophos Antivirus could remove this cryptolocker. I take that to be the standalone AV offering.
Are we to assume that the user is only protected if he happens to run Sophos Antivirus during the 72-hour window?
Ah, the boldfaced malware name in “Sophos Normal Form” at the start was supposed to convince you we detect it, and therefore (if you have the preventative parts of our software turned on) can block it π
We can find it if it’s already on your computer and we will prevent it running if the on-access scanner is active when it tries to load.
I added a little note at the end of the article, just to make this clear.
Would this be a problem if I continue using my older version of Transmission? (ver. 1.91)
The malware was inside the fake 2.90 version only, so if you didn’t install that, then this issue doesn’t affect you. However, you probably want to update anyway, on the grounds that there are probably now-known security holes fixed since 1.91 came out…
Was info stolen from users macs like files, passwords or anything like that?. And should users worry about anything after the ransomeware is removed?.
I don’t think it steals anything except the money you have to cough up if you pay to get your data back. If you are confident you have removed this malware and don’t have anything else left behind of the malware sort (a thorough anti-virus scan can help), you ought to be OK…
…but do stop to ask yourself, Could I improve my backup process? π
“After waiting for 259,200 seconds (72 hours, or three days), the ransomware triggers and the damage listed above is carried out.”
Why does it needs 3 days to get triggered and executed and it does not do it right after I opened the infected file?(If I understand correctly the 1st 2 lines)
Don’t know!
Folks, there are no shortcuts. The only data that is totally inaccessible to malware is data on a drive that is not powered up. Period. If you want to be safe against ransomware, image your drives on external devices, remove them and turn them off. Then and only then are you safe. If you get the malware, boot from your backup image, and restore your computer. Anything else can be compromised, if not today, then tomorrow.