Unlike the usual methods of entry, such as phish email, KeRanger victims were instead infected through Transmission, a peer-to-peer file transfer program. Transmission has since removed the infected installers and recommended an upgrade.
KeRanger authors also had a valid Mac Developer certificate, and so they were able to bypass Apple’s Gatekeeper protection. An Apple representative said the company had taken steps to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs.1
Once installed, they waited three days before encrypting the victim’s files. Once activated, the ransomware connects to a Command & Control server over the TOR network and will then begin to encrypt all files under “/Users” and “/Volumes” including files like:
.doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex, .jpg, .jpeg, .mp3, .mp4, .avi, .mpg, .wav, .flac, .zip, .rar., .tar, .gzip, .cpp, .asp, .csh, .class, .java, .lua, .db, .sql, .eml, .pem
2
The ransom was 1 bitcoin, or approximately $400 USD.
When Ransom32, the first ransomware written in javascript came out during the new year, we all anticipated that ransomware that would soon infect Mac users because javascript is platform agnostic.
Expect to see more attacks on Macs because the ransomware business model has yielded large returns. How much? We’re talkin’ hundreds of millions of dollars a year.
Further reading on Prevention:
Varonis customers – if you have DatAlert, it can catch and prevent ransomware attacks. Learn more on Connect.
Read the original article here.
1http://www.reuters.com/article/us-apple-ransomware-idUSKCN0W80VX
2http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/