KeRanger Mac ransomware is a version of Linux ransomware

The first fully functioning Mac ransomware is actually derived from the first notable piece of ransomware for Linux servers, but the decryption tools available to Linux victims may not be delivered for Macs.

According to security firm Bitdefender, trojanised Mac torrent client installer known as KeRanger is “virtually identical” to the fourth version of Linux.Encoder, a trojan that has been doing the rounds on Linux servers since the beginning of the year.

“The encryption functions are identical and have same names: encrypt_file, recursive_task, currentTimestamp and createDaemon to only mention a few. The encryption routine is identical to the one employed in Linux.Encoder,” said Catalin Cosoi, chief security strategist at Bitdefender.

Linux.Encoder emerged late last year, taking advantage of poorly configured Linux web servers to encrypt files and shake down admins for a few hundred dollars. The ransomware was quickly iterated on but BitDefender researchers have in some instances been able to provide tools to decrypt files locked by the trojan.

It was expected the enterprising developers would try to improve the Linux ransomware, so it’s not so surprising to see a pivot to Macs.

While BitDefender has developed tools to help victims of Linux.Encoder unlock encrypted files and KeRanger is basically the same as it, the security firm is reluctant to develop the same tool to unscramble Mac files.

It’s not for a lack of sympathy for victims of KeRanger, but BitDefender chief security researcher, Alex Balan, told CSO Australia, that developing such a tool may ultimately benefit the makers of KeRanger.

“If were to invest in decryption tools for KeRanger, we would be giving the developers an upper hand and that wouldn’t necessarily be good for other [Mac] users,” he said.

Besides that, BitDefender hadn’t received a single request by KeRanger victims for assistance decrypting files, said Balan, where as it did receive multiple requests from admins whose servers were infected with Linux.Encoder.

Balan said BitDefender had released decryption tools for the first two versions of Linux.Encoder, but was still working on tools for versions three and four.

“We want to see how this plays out,” Balan said, referring to the actual number of KeRanger victims and whether there is any demand for a similar tool to unlock files.

The KeRanger Mac ransomware, discovered last Friday by Palo Alto Networks, was bundled with an installer file for the Mac BitTorrent client Transmission that was signed using a legitimate Apple-approved developer certificate, though not Transmission's developer certificate.

Apple revoked the certificate on Friday to stop further installs. Transmission told Forbes yesterday that about 6,500 Macs had installed the infected file in the few hours between it becoming available and Apple's and Transmission's efforts to neuter it.

Read more: Ransomware perpetrators' increasing focus on Australia is just targeted marketing

While that is a low number compared to some variants of Windows ransomware, KeRanger may have infected more machines than Linux.Encoder did over three months.

It also appears the makers of KeRanger are working on a way to encrypt Time Machine backup files, which would prevent users from recovering backed up data. Still, attacking networked storage isn’t anything new for Windows ransomware attackers.

Microsoft recently stressed the best way to protect recovery files and databases from ransomware is by taking the “pre-defence” measure of backing up to disconnected or remote storage. That means backing up to say a flash drive once a week and then unplugging it from the PC.

Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags Liam TungLinuxKeRanger MacransomwarebitdefenderdecryptionCSO Australia

More about AppleBitDefenderCSOLinuxMacsMicrosoftPalo Alto Networks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts