KeRanger OS X Ransomware Impact Likely Mitigated

Early detection of the KeRanger OS X ransomware and quick updates by Apple and the Transmission BitTorrent client installer likely will mitigate the malware’s impact.

It’s likely that the first functional ransomware for OS X is a dud.

Discovered on Friday by researchers at Palo Alto Networks, the KeRanger ransomware sits dormant for three days before encrypting files from a comprehensive list of 300 file extensions; today would be Day 3. The malware was included in a Trojanized version of the popular BitTorrent installer Transmission and was signed with a legitimate Apple developer certificate.

Since Transmission has made a patched version of its installer available and Apple has revoked the signing certificate used to build the ransomware, it’s likely that any significant damage has been mitigated. Apple also updated its XProtect malware protection with a new signature that detects KeRanger. That said, if Mac users who grabbed Transmission 2.90 and have either disabled Gatekeeper or did not receive the XProtect update, could have data stored on their Macs encrypted and held for ransom.

“Some people will have some files encrypted, but I think it will be small,” said Ryan Olson, director of threat intelligence at Palo Alto. “The three parties working quickly prevented this from being a much bigger issue for Transmission and Apple.”

John Clay of Transmission told Threatpost that the project has taken measures to secure its webservers as it investigates the compromise, and expects to post an update in the coming days with more information. Clay and Palo Alto’s Olson don’t expect the number of infected machines to be significant given the timing and quick detection of the attack.

“Our best guess at this point is that approximately than 6,500 infected disk images were downloaded. Of those, our presumption is that many were unable to run the infected file due to Apple quickly revoking the certificate used to sign the binary, as well as updating the XProtect definitions,” Clay said. “We’re waiting on confirmation from Apple on that.”

Palo Alto researchers Claud Xiao and Jin Chen found the malware on Friday and disclosed privately to Apple and Transmission over the weekend before publicly disclosing on Sunday.

It’s unknown how badly the open source Transmission project was compromised by the attackers, who at a minimum likely had access to the project’s web server and were thus able to swap in their malicious installer. The fact that it was signed with a legitimate Apple certificate allows the ransomware to slip past Gatekeeper to infect OS X computers. Gatekeeper has been around since OS X Mountain Lion and checks that any apps or software downloaded from the Web come from the official Apple App Store, or are signed with a developer certificate.

Clay said that Transmissions Sparkle auto-update mechanism was not compromised, and would have failed to update to the infected binary because the hash was different.

“Further, our third-party cache (CacheFly) was not compromised, which is where many of the software update websites link to (MacUpdate et al),” Clay said. “We’ve also confirmed that a user with an infected version can successfully auto-update to the legitimate releases of 2.91 or 2.92, with 2.92 actively attempting to remove the malware.”

The ransomware’s three-day waiting period, meanwhile, is about the only feature that distinguishes KeRanger from samples that have run rampant on the Windows side. Olson said KeRanger appears to have been built specifically to run on OS X and is not a knock-off of a Windows family of ransomware. The malware is designed to sleep for three days before encrypting files and demanding one Bitcoin from the victim, which is about $400 dollars. Like ransomware families on the Windows side, the attackers offer victims one free file decryption as proof they have the key. The three-day quiet period, however, is a differentiator.

“If I were to download Transmission today and install it, and five minutes later, all my files were encrypted, savvy users would notice the connection to the Transmission download. They’d tweet about it, complain on forums and Transmission would know about it and take it down,” Olson explained. “The waiting period avoids that connection being made on the users’ behalf. If I download on Friday and things don’t get encrypted until Monday, I would have done a lot of other things in the meantime, like downloading stuff from BitTorrent, that would disconnect the user from thinking Transmission was infected. Now the attacker does not have the benefit of the three-day period.”

Olson said that the Apple developer cert was generated on Friday and belongs to the developer ID: POLISAN BOYA SANAYI VE TICARET ANONIM SIRKETI (Z7276PX673), which is different than the previous legitimate certificate belonging to Transmission. The malware drops a file called General.rtf in the Transmission app directory; the file’s job is to encrypt files. From Palo Alto’s report:

“It uses an icon that looks like a normal RTF file but is actually a Mach-O format executable file packed with UPX 3.91. When users click these infected apps, their bundle executable Transmission.app/Content/MacOS/Transmission will copy this General.rtf file to ~/Library/kernel_service and execute this “kernel_service” before any user interface appearing.”

The file collects the compromised machine’s model name and UUDI, uploading that data to a command and control server. The C2 server responds with two lines of code, the RSA public key, and a README text file with instructions on how to pay the ransom through a specific Tor website. The executable then encrypts all files with any of the 300 file extensions under the Users and Volumes directories; the extensions cover documents, audio, video, archives, source code, database, email, and certificates.

There are also three other features that Olson said appear to be under development: create_tcp_socket, execute_cmd and encrypt_timemachine.

The third feature is the most interesting because it attacks Apple Time Machine backups; users are often advised that one of the best defenses against ransomware is to frequently backup data. Time Machine is Apple’s incremental backup app. The two other features would also indicate that the developers are working on a backdoor function and would eventually want to execute commands on infected machines beyond ransomware.

“On Windows machines, we are seeing the same things, disabling the ability to roll back to previous versions, getting rid of archives, encrypting files via connected drives,” Olson said. “The idea that they are also thinking they need to go for the backup files tells me they’re on their way to building effective ransomware.”

Suggested articles

Discussion

  • Bob in SF on

    Thanks for letting someone hack your server Transmission! Good job! Smells fishy and I wonder if this was an inside job where someone wanting to test the ransomware suckered over a Transmission developer for the keys to the castle. Now the "mac's get viruses" crowd will be back at it again, despite the fact that this was a specialized attack through one specific program. I say we tar and feather Transmission and send a message to other developers to double check the files they are hosting and updates they are pushing. We are in a computer culture of "update everything!" where everything updates all the time, and I'm getting sick of it. My old version of Transmission works fine and if it ain't broke, don't fix it. But everyone wants the new version of everything. Lesson for the user - don't update things so damn often because then you won't be a guinea pig and find out the hard way. Wait to update things. Like I said, if it ain't broke don't fix it (and yes I'm staying on 10.8 RIP Jobs). I can understand some worry if this kind of activity can result from opening a simple e-mail attachment, but this type of attack was very isolated and was mitigated quickly. It shows the strength of Mac and should be applauded instead of being used as fuel for anti Mac criticism. If you want to criticize Mac, just talk about how 10.9 and 10.10 got pushed out with so many bugs that it took gigabye after gigabye update to clear up simple mistakes (you get what you pay for I guess). The video card driver on their most popular Macbook Pro had tons of bugs on 10.9 and 10.10 but worked perfectly on 10.7 and 10.8. 10.9 and above was and is a shameful time for Mac users like myself. Plenty of bugs and such to complain about with new Mac OSXs, but this time I say SHAME ON TRANSMISSION! That was a rookie mistake and it tarnished the whole Apple brand. Transmission better find out who did it and publicly shame them...For now BOYCOT Transmission and use other clients.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.