KeRanger Mac ransomware is a rewrite of Linux Encoder

KeRanger, the recently discovered first functional Mac ransomware, is a copy of Linux Encoder, the crypto-ransomware first unearthed and analyzed in November 2015 by Dr. Web researchers.

Mac ransomware

“The encryption functions are identical and have same names: encrypt_file, recursive_task, currentTimestamp and createDaemon to only mention a few. The encryption routine is identical to the one employed in Linux.Encoder,” explained Catalin Cosoi, Chief Security Strategist at Bitdefender.

Bitdefender researchers have previously found encryption flaws in the first three versions of Linux Encoder, which is mainly directed at web servers running on Linux, and have offered users a decryption script to restore the encrypted files without having to pay the ransom.

KeRanger, they say, is a rewrite of version 4 of Linux Encoder, but they have yet to offer a decryption tool for it.

KeRanger was distributed bundled with the popular open source Transmission BitTorrent client for Macs, from the Transmission Project official website.

Transmission representative John Clay told Reuters that the Trojanized client was downloaded about 6,500 times in the 32 hours that it was available for download from the site.

He confirmed that this happened after their main server was compromised, but offered no details on how that happened.

Apple’s quick response of revoking the certificate with which the malicious installer was signed and updating XProtect signatures to detect it have likely made the actual number of affected users smaller than 6,500.

Hopefully, the fact that the malware also waited 72 hours before initiating the encryption process saved a few more users. Also, the malware still doesn’t encrypt Time Machine backup files, so there are likely some users that had their computer files encrypted, but managed to restore them from backup.

Interestingly enough, Linux Encoder is also not an original piece of ransomware. Some of its code was copied from Hidden Tear, the PoC ransomware created and open sourced by a Turkish computer engineering student. Since then, the student’s code has been misused to create 24 different strains of ransomware.

“It seems that the developers behind the Linux.Encoder malware have either expanded to Mac OS X or have licensed their code to a cybercrime group specialized in Mac OS X attacks,” Bitdefender researchers noted.

Cosoi also pointed out that “nothing short of a fully-fledged, native Mac OS X security solution with real-time, behavior-based detection techniques could have saved Mac OS X users from having their systems infected and their files encrypted.”

“There is more, much more, to security than merely disallowing unsigned software,” he concluded.