OSX.KeRanger.A...hahaha...sorry but this is too good...yay, admin users!

donmontalvo
Esteemed Contributor III

Well, since some shops use Transmission, I suppose it makes sense to create an EA.

Not that it'll help, if the user opened the General.rtf file. #GotBitCoin? ;)

#!/bin/sh

if [ -e "/Applications/Transmission.app/Contents/Resources/ General.rtf" ]
then
    echo "<result>Found OSX.KeRanger.A in /Applications</result>"
elif [ -e "/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf" ]
then
    echo "<result>Found OSX.KeRanger.A in /Volumes/Transmission</result>"
else
    echo "<result>NotFound</result>"
fi
--
https://donmontalvo.com
11 REPLIES 11

AVmcclint
Honored Contributor

I've been monitoring this since it hit the news this weekend. One thing that I haven't been able to find is if this ransomware would be able to affect your computer if your drive is already encrypted with FileVault or other 3rd party encryption tools. Has anyone found any information about that?

RUT
New Contributor

This is a hackbug))
http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

rtrouton
Release Candidate Programs Tester

@AVmcclint,

This application will be able to encrypt files on Macs which have been previously encrypted with FileVault or other 3rd party encryption tools. By the time this malware is able to run, FileVault 2's encryption is unlocked and the files on the machine are accessible.

FileVault 2 and other third-party encryption tools are not designed or built to be an anti-malware solution, which means they do not protect against malware, ransomware, adware or other kinds of -ware.

AVmcclint
Honored Contributor

I understand now. The information I got from early reports mentioned that it encrypts your drive. My question was based on that... "how can it encrypt a drive that's already encrypted?" NOW I know that it only targets specific files in /Users and yes I agree, @rtrouton, FileVault isn't meant to protect against malware.

taugust04
Valued Contributor

I wish Apple release who owned the valid certificate for KeRanger. That developer account has to be linked back to someone!

bentoms
Release Candidate Programs Tester

I posted a detection & clean up method here.

Sorry @donmontalvo, but the above is not enough.

Chris_Hafner
Valued Contributor II

@bentoms Nice work!

donmontalvo
Esteemed Contributor III

@bentoms It gives you something to target, if the paths exist, delete, would even make it a cached for offline use policy. ;)

--
https://donmontalvo.com

jhuls
Contributor III

@AVmcclint I'm no expert on File Vault but my understanding is that while the files are encrypted, they are unlocked once the password is entered. If they're unlocked, it would seem that anything could edit or encrypt said files.

donmontalvo
Esteemed Contributor III

Holy cow @bentoms I finally had a chance to read your blog regarding this exploit...excellent article!!!

--
https://donmontalvo.com

benshawuk
New Contributor III

Thanks @bentoms . Great script.
Hopefully that and Sophos will eliminate any infections. Particularly frightening that it targets /Volumes ..