Unlike the usual methods of entry, such as phish email, KeRanger victims were instead infected through Transmission, a peer-to-peer file transfer program. Transmission has since removed the infected installers and recommended an upgrade.
KeRanger authors also had a valid Mac Developer certificate, and so they were able to bypass Apple’s Gatekeeper protection. An Apple representative said the company had taken steps to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs.1
Once installed, they waited three days before encrypting the victim’s files. Once activated, the ransomware connects to a Command & Control server over the TOR network and will then begin to encrypt all files under “/Users” and “/Volumes” including files like:
.doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex, .jpg, .jpeg, .mp3, .mp4, .avi, .mpg, .wav, .flac, .zip, .rar., .tar, .gzip, .cpp, .asp, .csh, .class, .java, .lua, .db, .sql, .eml, .pem2
The ransom was 1 bitcoin, or approximately $400 USD.
Expect to see more attacks on Macs because the ransomware business model has yielded large returns. How much? We’re talkin’ hundreds of millions of dollars a year.
Further reading on Prevention:
Varonis customers – if you have DatAlert, it can catch and prevent ransomware attacks. Learn more on Connect.
Read the original article here.