It’s likely that the first functional ransomware for OS X is a dud.
Discovered on Friday by researchers at Palo Alto Networks, the KeRanger ransomware sits dormant for three days before encrypting files from a comprehensive list of 300 file extensions; today would be Day 3. The malware was included in a Trojanized version of the popular BitTorrent installer Transmission and was signed with a legitimate Apple developer certificate.
Since Transmission has made a patched version of its installer available and Apple has revoked the signing certificate used to build the ransomware, it’s likely that any significant damage has been mitigated. Apple also updated its XProtect malware protection with a new signature that detects KeRanger. That said, if Mac users who grabbed Transmission 2.90 and have either disabled Gatekeeper or did not receive the XProtect update, could have data stored on their Macs encrypted and held for ransom.
“Some people will have some files encrypted, but I think it will be small,” said Ryan Olson, director of threat intelligence at Palo Alto. “The three parties working quickly prevented this from being a much bigger issue for Transmission and Apple.”
John Clay of Transmission told Threatpost that the project has taken measures to secure its webservers as it investigates the compromise, and expects to post an update in the coming days with more information. Clay and Palo Alto’s Olson don’t expect the number of infected machines to be significant given the timing and quick detection of the attack.
“Our best guess at this point is that approximately than 6,500 infected disk images were downloaded. Of those, our presumption is that many were unable to run the infected file due to Apple quickly revoking the certificate used to sign the binary, as well as updating the XProtect definitions,” Clay said. “We’re waiting on confirmation from Apple on that.”
Palo Alto researchers Claud Xiao and Jin Chen found the malware on Friday and disclosed privately to Apple and Transmission over the weekend before publicly disclosing on Sunday.
It’s unknown how badly the open source Transmission project was compromised by the attackers, who at a minimum likely had access to the project’s web server and were thus able to swap in their malicious installer. The fact that it was signed with a legitimate Apple certificate allows the ransomware to slip past Gatekeeper to infect OS X computers. Gatekeeper has been around since OS X Mountain Lion and checks that any apps or software downloaded from the Web come from the official Apple App Store, or are signed with a developer certificate.
Clay said that Transmissions Sparkle auto-update mechanism was not compromised, and would have failed to update to the infected binary because the hash was different.
“Further, our third-party cache (CacheFly) was not compromised, which is where many of the software update websites link to (MacUpdate et al),” Clay said. “We’ve also confirmed that a user with an infected version can successfully auto-update to the legitimate releases of 2.91 or 2.92, with 2.92 actively attempting to remove the malware.”
The ransomware’s three-day waiting period, meanwhile, is about the only feature that distinguishes KeRanger from samples that have run rampant on the Windows side. Olson said KeRanger appears to have been built specifically to run on OS X and is not a knock-off of a Windows family of ransomware. The malware is designed to sleep for three days before encrypting files and demanding one Bitcoin from the victim, which is about $400 dollars. Like ransomware families on the Windows side, the attackers offer victims one free file decryption as proof they have the key. The three-day quiet period, however, is a differentiator.
“If I were to download Transmission today and install it, and five minutes later, all my files were encrypted, savvy users would notice the connection to the Transmission download. They’d tweet about it, complain on forums and Transmission would know about it and take it down,” Olson explained. “The waiting period avoids that connection being made on the users’ behalf. If I download on Friday and things don’t get encrypted until Monday, I would have done a lot of other things in the meantime, like downloading stuff from BitTorrent, that would disconnect the user from thinking Transmission was infected. Now the attacker does not have the benefit of the three-day period.”
Olson said that the Apple developer cert was generated on Friday and belongs to the developer ID: POLISAN BOYA SANAYI VE TICARET ANONIM SIRKETI (Z7276PX673), which is different than the previous legitimate certificate belonging to Transmission. The malware drops a file called General.rtf in the Transmission app directory; the file’s job is to encrypt files. From Palo Alto’s report:
“It uses an icon that looks like a normal RTF file but is actually a Mach-O format executable file packed with UPX 3.91. When users click these infected apps, their bundle executable Transmission.app/Content/MacOS/Transmission will copy this General.rtf file to ~/Library/kernel_service and execute this “kernel_service” before any user interface appearing.”
The file collects the compromised machine’s model name and UUDI, uploading that data to a command and control server. The C2 server responds with two lines of code, the RSA public key, and a README text file with instructions on how to pay the ransom through a specific Tor website. The executable then encrypts all files with any of the 300 file extensions under the Users and Volumes directories; the extensions cover documents, audio, video, archives, source code, database, email, and certificates.
There are also three other features that Olson said appear to be under development: create_tcp_socket, execute_cmd and encrypt_timemachine.
The third feature is the most interesting because it attacks Apple Time Machine backups; users are often advised that one of the best defenses against ransomware is to frequently backup data. Time Machine is Apple’s incremental backup app. The two other features would also indicate that the developers are working on a backdoor function and would eventually want to execute commands on infected machines beyond ransomware.
“On Windows machines, we are seeing the same things, disabling the ability to roll back to previous versions, getting rid of archives, encrypting files via connected drives,” Olson said. “The idea that they are also thinking they need to go for the backup files tells me they’re on their way to building effective ransomware.”