We recently reported about the world's first ransomware for Macs, AKA KeRanger, and now we know a bit more about the malware. More specifically, we know that it's, in fact, a re-write of the Linux.Encoder Trojan, a malware for Linux.
According to security specialists at Bitdefender labs, the infected Mac OS X torrent update, which carried the malware, looks identical to version 4 of the Linux.Encoder Trojan.
“Once the infected installer is executed, the Trojan connects to the command and control centres via TOR and retrieves an encryption key,” states Catalin Cosoi, Chief Security Strategist at Bitdefender. “After encryption finishes, the KeRanger ransomware creates a file called README_FOR_DECRYPT.txt, which holds the information on how the victim should pay the ransom. The encryption functions are identical to those deployed by the Linux.Encoder Trojan and have the same names.”
It's also worth mentioning that the Linux version itself is not so old, either. It was first spotted some six months ago. Prior to that, ransomware was only a concern for Windows and Android users.
Mac is a pretty safe environment. Its computers come with something known as the Gatekeeper – a feature which allows the user to filter sources from which it is possible to install apps. The default setting allows users to install apps from the Mac App Store, apps which are 'digitally signed' by a developer.
Those digital signatures were abused by cyber-crooks in this case, as the Transmission update package had a valid signature. Albeit, a different one from previous versions. According to Bitdefender, the listed this certificate as a Turkish company with the ID Z7276PX673.
“It is worth emphasising that nothing short of a fully-fledged, native Mac OS X security solution with real-time, behaviour-based detection techniques could have saved Mac OS X users from having their systems infected and their files encrypted. There is more, much more, to security than merely disallowing unsigned software,” Catalin Cosoi concludes.