Ransomware arrives on the Mac: OSX/KeRanger-A – what you need to know

Thanks to Anna Szalay and Xinran Wu of SophosLabs for their behind-the-scenes work on this article.

It’s happened: there’s now ransomware for the Mac, and it’s called OSX/KeRanger-A.

(And, no, if you are a Windows user you are not allowed to be smug, because an injury to one operating system is an injury to all.)

The crooks have largely copied the ransomware formula that works on Windows.

Here’s what the crooks and their malware do:

  • Trick you into opening a file you are inclined to trust.
  • When you do so, install and run the ransomware program.
  • Call home to one of a list of control servers for an encryption key.
  • Scramble files in your home directory and on currently-mounted volumes, adding the extension .encrypted each time.
  • Put a file called README_FOR_DECRYPT.txt in every directory where a file was encrypted.

What happens if you get infected?

The malware will scramble everything in can find in your home directory (that means in and below /Users/YourNameHere), and a long list of file types on all mounted volumes such as USB keys, removable disks and network shares (on OS X, that’s everything under /Volumes).

If you try to open any of the .encryptedfiles, you’ll be confronted with random-looking binary garbage.

In fact, because your files have been strongly encrypted with random keys using the AES algorithm, they are indistinguishable from random garbage.

The random AES keys are then encrypted with an RSA public key downloaded from the crooks; the crooks keep the corresponding RSA private key to themselves, so they end up with the master key to all your files.

If you don’t have a backup from which you can restore your scrambled files, the only practical way to get them back, as far as we can see, is to follow the instructions in the README_FOR_DECRYPT.txt file:

The URL you are sent to is a .onion address, a website visible only inside Tor, better known as the hidden web or the dark web:

If you login with your personal authentication ID, you’ll get to the main pay page, where you can see how much you’ve deposited so far; once you’ve paid up, the [Download decrypt pack] button will light up, and you can fetch the software and the decryption key you need to get your files back:

We haven’t paid up to see what happens, so we can’t tell you whether we think you’d receive an unscrambling key if you were to pay. We recommend that you don’t pay, but if you do, we understand and respect your choice. (It’s easy to be high and mighty when it’s not your data on the line!)

There’s a Frequently Asked Questions page:

There are even “decrypt one free” and “ask us a question” options, too:

The idea of the “decrypt one free” feature, now commonplace in Windows ransomware, is to try to convince you that the crooks really do have the decryption key for your files, or else they wouldn’t be able to unscramble a file randomly chosen by you.

How does this ransomware arrive?

Most Windows ransomware in recent months arrives via email, embedded in Word documents (.DOC files) that are attached to the email.

This one has been distributed differently – so far, at any rate.

The crooks hacked into the download server of a popular BitTorrent client called Transmission, created a fake version numbered 2.90, and published it as an official download on the site.

The Transmission app itself was very slightly modified to include an additional snippet of code to run the malware, which was added to the Transmission package under the innocent-looking name General.rtf.

The General.rtf file is, in fact, a regular OS X executable file, and it is launched under the innocent-looking name kernel_service by the hacked Transmission app.

After waiting for 259,200 seconds (72 hours, or three days), the ransomware triggers and the damage listed above is carried out.

Note that the ransomware program doesn’t try to acquire administrative powers, because it doesn’t need them to access your files: if you can write to them, so can any malware that you launch by mistake.

That means you won’t see any dialogs popping up asking for your administrative password. (Some Mac users still wrongly think that a password dialog is an inevitable side-effect of a malware infection, and is thus a handy way to spot that something malicious is about to happen – but that’s not correct.)

What to do?

  • Consider running a Mac anti-virus that can automatically scan the files you download before you run them for the first time, and that can check out the websites you try to access before your browser gets to them.
  • Make regular backups and keep a recent backup copy offline, and preferably also offsite. OS X’s Time Machine backup software can create encrypted backups, so even if the disk they’re stored on is stolen, your backup is safe from prying eyes. That means you can safely exchange backup disks with a friend or family member on a regular basis, so that you each provide the other’s offsite storage.

Sophos products detect and block this malware as OSX/KeRanger-A.

This article is also available in French and Spanish.