eScan’s Threat predictions for 2016 proved to be correct! As we stated, “Ransomware creators would be looking to target new operating system such as Mac”, now we can see a new Ransomware known as KeRanger (Trojan.MAC.KeRangerRansom.A) was detected on Mac OS X by eScan researchers. The Ransomware was distributed by popular Bit Torrent client called Transmission for OS X users who downloaded Transmission on March 4 and March 5 2016.
How does the Trojan Work?
According to eScan research team, Windows Ransomware enters the system with word files as attachment. However, in this scenario, the cyber-criminals hacked the most popular Bit Torrent client and created a fake version number 2.90 and published it in Transmissions official website. Infected Transmission installers include an extra file General.rtf, which looks like a regular OX executable file but is actually a Mach-O format executable.Mach-O is a file format for executables, object code, shared libraries for OS X, Mach Kernel systems. The file gets executed because the KeRanger application was signed with a valid Mac app development certificate. As a result it could bypass Apple’s Gatekeeper protection and it changes the entries in Kernel following which it encrypts the files along with wide range of extensions such as *.zip, *.doc, *.jpg, *.mp3, .db etc. and it also encrypts the file found in users directory and its associated sub-directories. The Malware connects to CnC server through Tor anonymiser network and downloads the payload, following which it displays a ransom note demanding victims to pay a bitcoin to retrieve their files.
If you happen to download Transmission installer from their official website from March 4 to March 5 2016 you might have been infected by the Malware and eScan advises you to download updated version 2.92 of Transmission and follow the steps given below:
- Update your eScan antivirus on regular basis, which will protect your system from all kinds of Malware attacks.
- Regularly backup your important files.
- Ensure your operating system and other software installed are up-to-date.
- Open emails only if you are positive about the source.