eScan’s Threat predictions for 2016 proved to be correct! As we stated, “Ransomware creators would be looking to target new operating system such as Mac”, now we can see a new Ransomware known as KeRanger (Trojan.MAC.KeRangerRansom.A) was detected on Mac OS X by eScan researchers. The Ransomware was distributed by popular Bit Torrent client called Transmission for OS X users who downloaded Transmission on March 4 and March 5 2016.
How does the Trojan Work?
According to eScan research team, Windows Ransomware enters the system with word files as attachment. However, in this scenario, the cyber-criminals hacked the most popular Bit Torrent client and created a fake version number 2.90 and published it in Transmissions official website. Infected Transmission installers include an extra file General.rtf, which looks like a regular OX executable file but is actually a Mach-O format executable. Mach-O is a file format for executables, object code, shared libraries for OS X, Mach Kernel systems. The file gets executed because the KeRanger application was signed with a valid Mac app development certificate. As a result it could bypass Apple’s Gatekeeper protection and it changes the entries in Kernel following which it encrypts the files along with wide range of extensions such as *.zip, *.doc, *.jpg, *.mp3, .db etc. and it also encrypts the file found in users directory and its associated subdirectories. The Malware connects to CnC server through Tor anonymiser network and downloads the payload, following which it displays a ransom note demanding victims to pay a bitcoin to retrieve their files.