Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

OSX.KeRanger.A...hahaha...sorry but this is too good...yay, admin users!

Well, since some shops use Transmission, I suppose it makes sense to create an EA.

Not that it'll help, if the user opened the General.rtf file. #GotBitCoin? ;)

#!/bin/sh

if [ -e "/Applications/Transmission.app/Contents/Resources/ General.rtf" ]
then
    echo "<result>Found OSX.KeRanger.A in /Applications</result>"
elif [ -e "/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf" ]
then
    echo "<result>Found OSX.KeRanger.A in /Volumes/Transmission</result>"
else
    echo "<result>NotFound</result>"
fi
Like Comment
Order by:
SOLVED Posted: by AVmcclint

I've been monitoring this since it hit the news this weekend. One thing that I haven't been able to find is if this ransomware would be able to affect your computer if your drive is already encrypted with FileVault or other 3rd party encryption tools. Has anyone found any information about that?

Like
SOLVED Posted: by RUT

This is a hackbug))
http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

Like
SOLVED Posted: by rtrouton

@AVmcclint,

This application will be able to encrypt files on Macs which have been previously encrypted with FileVault or other 3rd party encryption tools. By the time this malware is able to run, FileVault 2's encryption is unlocked and the files on the machine are accessible.

FileVault 2 and other third-party encryption tools are not designed or built to be an anti-malware solution, which means they do not protect against malware, ransomware, adware or other kinds of -ware.

Like
SOLVED Posted: by AVmcclint

I understand now. The information I got from early reports mentioned that it encrypts your drive. My question was based on that... "how can it encrypt a drive that's already encrypted?" NOW I know that it only targets specific files in /Users and yes I agree, @rtrouton, FileVault isn't meant to protect against malware.

Like
SOLVED Posted: by taugust04

I wish Apple release who owned the valid certificate for KeRanger. That developer account has to be linked back to someone!

Like
SOLVED Posted: by bentoms

I posted a detection & clean up method here.

Sorry @donmontalvo, but the above is not enough.

Like
SOLVED Posted: by Chris_Hafner

@bentoms Nice work!

Like
SOLVED Posted: by donmontalvo

@bentoms It gives you something to target, if the paths exist, delete, would even make it a cached for offline use policy. ;)

Like
SOLVED Posted: by jhuls

@AVmcclint I'm no expert on File Vault but my understanding is that while the files are encrypted, they are unlocked once the password is entered. If they're unlocked, it would seem that anything could edit or encrypt said files.

Like
SOLVED Posted: by donmontalvo

Holy cow @bentoms I finally had a chance to read your blog regarding this exploit...excellent article!!!

Like
SOLVED Posted: by benshawuk

Thanks @bentoms . Great script.
Hopefully that and Sophos will eliminate any infections. Particularly frightening that it targets /Volumes ..

Like