KeRanger (also known as OSX.KeRanger.A) is a

ransomware Ransomware is a type of malware that Encryption, encrypts the victim's personal data until a ransom is paid. Difficult-to-trace Digital currency, digital currencies such as paysafecard or Bitcoin and other cryptocurrency, cryptocurrencies are com ...

trojan horse In Greek mythology, the Trojan Horse () was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer, Homer's ''Iliad'', with the poem ending ...

targeting computers running

macOS macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...

. Discovered on March 4, 2016, by

Palo Alto Networks Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to ...

, it affected more than 7,000 Mac users. KeRanger is remotely executed on the victim's computer from a compromised installer for

Transmission Transmission or transmit may refer to: Science and technology * Power transmission ** Electric power transmission ** Transmission (mechanical device), technology that allows controlled application of power *** Automatic transmission *** Manual tra ...

, a popular

BitTorrent BitTorrent is a Protocol (computing), communication protocol for peer-to-peer file sharing (P2P), which enables users to distribute data and electronic files over the Internet in a Decentralised system, decentralized manner. The protocol is d ...

client downloaded from the official website. It is hidden in the

.dmg DMG may refer to: Organizations Entertainment * DMG Clearances, music licensor in Delaware, USA * DMG Entertainment, a Chinese-based film production and distribution company * DMG Nashville, a brand of Hollywood Records specializing in country musi ...

file under General.rtf. The .rtf is actually a Mach-O format executable file packed with UPX 3.91. When users click these infected apps, their bundle executable Transmission.app/Content/MacOS/Transmission will copy this General.rtf file to ~/Library/kernel_service and execute this "kernel_service" before any user interface appearing. It encrypts the files with RSA and RSA public key cryptography, with the key for decryption only stored on the attacker's servers. The malware then creates a file, called "readme_to_decrypt.txt", in every folder. When the instructions are opened, it gives the victim directions on how to decrypt the files, usually demanding a payment of one

bitcoin Bitcoin (abbreviation: BTC; Currency symbol, sign: ₿) is the first Decentralized application, decentralized cryptocurrency. Based on a free-market ideology, bitcoin was invented in 2008 when an unknown entity published a white paper under ...

. The ransomware is considered to be a variant of the Linux ransomware Linux.Encoder.1. Transmission Warning

Discovery

On March 4, 2016,

added Ransomeware.KeRanger.OSX to their virus database. Two days after, they published a description and a breakdown of the code.

Propagation

According to

Palo Alto Research Center Future Concepts division (formerly Palo Alto Research Center, PARC and Xerox PARC) is a research and development company in Palo Alto, California. It was founded in 1969 by Jacob E. "Jack" Goldman, chief scientist of Xerox Corporation, as a div ...

, KeRanger was most commonly infected into

from the official website being compromised, then the infected

was uploaded to look like the "real"

. After it was reported, the makers of

issued a new download on the website and pushed out a software update. The only way the malware infected the victim's computer was by using a valid developer signature issued by Apple, which allowed it to bypass Apple's built-in security.

Encryption process

The first time it executes, KeRanger will create three files ".kernel_pid", ".kernel_time" and ".kernel_complete" under ~/Library directory and write the current time to ".kernel_time". It will then sleep for three days. After that, it will collect information about the Mac, which includes the model name and the

UUID A Universally Unique Identifier (UUID) is a 128-bit nominal number, label used to uniquely identify objects in computer systems. The term Globally Unique Identifier (GUID) is also used, mostly in Microsoft systems. When generated according to the ...

. After it collects the information, it uploads it to one of its Command and Control servers. These servers’ domains are all sub-domains of onion ink or onion u, two domains that host servers only accessible over the

Tor network Tor is a free overlay network for enabling anonymous communication. It is built on free and open-source software run by over seven thousand volunteer-operated relays worldwide, as well as by millions of users who route their Internet traffic ...

. After it connects with the Command and Control servers, it returns the data with a "README_FOR_DECRYPT.txt" file. It then tells the user that their files have been encrypted, etc. and that they need to pay a sum of one

, which used to be roughly $400 in

United States dollar The United States dollar (Currency symbol, symbol: Dollar sign, $; ISO 4217, currency code: USD) is the official currency of the United States and International use of the U.S. dollar, several other countries. The Coinage Act of 1792 introdu ...

. KeRanger encrypts each file (e.g. Test.docx) by first creating an encrypted version that uses the .encrypted extension (i.e. Test.docx.encrypted.) To encrypt each file, KeRanger starts by generating a random number (RN) and encrypts the RN with the RSA key retrieved from the C2 server using the RSA algorithm. It then stores the encrypted RN at the beginning of resulting file. Next, it will generate an Initialization Vector (IV) using the original file’s contents and store the IV inside the resulting file. After that, it will mix the RN and the IV to generate an AES encryption key. Finally, it will use this AES key to encrypt the contents of the original file and write all encrypted data to the result file.

Encrypted files

After connecting to the C2 server, it will retrieve the encryption key, then start the process. It will first encrypt the "/Users" folder, then after that "/Volumes" There are also 300 file extensions that are encrypted, such as: * Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .te * Images: .jpg, .jpeg * Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac * Archives: .zip, .rar., .tar, .gzip * Source code: .cpp, .asp, .csh, .class, .java, .lua * Database: .db, .sql * Email: .eml * Certificate: .pem

References

{{Hacking in the 2010s Trojan horses Ransomware MacOS malware