The KeRanger Mac ransomware may be a rewrite of the Linux.Encoder Trojan, which was detected last November.
According to Bitdefender, the Mac OS X ransomware is virtually identical to version 4 of the Linux variant which has been infecting thousands of Linux servers in 2016. The company found the world’s first piece of Linux ransomware at the end of last year, encrypting thousands of web servers.
The company believed that the developers behind the Linux.Encoder malware have either expanded to Mac OS X, or have licensed their code to a cyber-crime group specialised in Mac OS X attacks.
“Once the infected installer is executed, the Trojan connects to the command and control centres via TOR and retrieves an encryption key,” says Catalin Cosoi, Chief Security Strategist at Bitdefender. “After encryption finishes, the KeRanger ransomware creates a file called README_FOR_DECRYPT.txt, which holds the information on how the victim should pay the ransom. The encryption functions are identical to those deployed by the Linux.Encoder Trojan and have the same names.
“It is worth emphasising that nothing short of a fully-fledged, native Mac OS X security solution with real-time, behaviour-based detection techniques could have saved Mac OS X users from having their systems infected and their files encrypted. There is more, much more, to security than merely disallowing unsigned software.”
Thomas Reed, Director of Mac Offerings at Malwarebytes, told Infosecurity that he did not feel that repackaging old malware necessarily implies anything about its sophistication, as if older code works well and a hacker can get it past the security on a new system, that is all that matters.
“Still, this was enough to possibly infect around 6,500 people (the approximate number of downloads of the infected Transmission app), and we've seen some cases of people who have been infected and have had their files encrypted,” he said.
However, Reed did not believe that this was a highly sophisticated piece of malware, as there were some flaws in its execution, notably: the delivery method made it more prone to detection than other possible methods.
“Changing Transmission's code signature to one owned by a Turkish company meant that it got detected within hours of deployment,” he said.
He also said that there was “no persistence”, and suspected that was an intentional decision to try to keep the malware's profile low, but it does mean that it's trivially easy to get rid of it.
Listen to a session on "The Rise of Ransomware: Prevention & Response to Evade Extortion" in the Infosecurity Magazine Virtual Conference, Tuesday 15th at 11.55am GMT here