Help

OSX.KeRanger.A...hahaha...sorry but this is too good...yay, admin users!

donmontalvo
Esteemed Contributor III

Posted on ‎03-06-2016 10:37 PM

Well, since some shops use Transmission, I suppose it makes sense to create an EA.

Not that it'll help, if the user opened the General.rtf file. #GotBitCoin? ;)

#!/bin/sh

if [ -e "/Applications/Transmission.app/Contents/Resources/ General.rtf" ]
then
    echo "<result>Found OSX.KeRanger.A in /Applications</result>"
elif [ -e "/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf" ]
then
    echo "<result>Found OSX.KeRanger.A in /Volumes/Transmission</result>"
else
    echo "<result>NotFound</result>"
fi
--
https://donmontalvo.com
0 Kudos
Reply
11 REPLIES 11

AVmcclint
Honored Contributor

Posted on ‎03-07-2016 05:14 AM

I've been monitoring this since it hit the news this weekend. One thing that I haven't been able to find is if this ransomware would be able to affect your computer if your drive is already encrypted with FileVault or other 3rd party encryption tools. Has anyone found any information about that?

0 Kudos
Reply

RUT
New Contributor

Posted on ‎03-07-2016 05:19 AM

This is a hackbug))
http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

0 Kudos
Reply

rtrouton
Release Candidate Programs Tester

Posted on ‎03-07-2016 05:42 AM

@AVmcclint,

This application will be able to encrypt files on Macs which have been previously encrypted with FileVault or other 3rd party encryption tools. By the time this malware is able to run, FileVault 2's encryption is unlocked and the files on the machine are accessible.

FileVault 2 and other third-party encryption tools are not designed or built to be an anti-malware solution, which means they do not protect against malware, ransomware, adware or other kinds of -ware.

0 Kudos
Reply

AVmcclint
Honored Contributor

Posted on ‎03-07-2016 05:50 AM

I understand now. The information I got from early reports mentioned that it encrypts your drive. My question was based on that... "how can it encrypt a drive that's already encrypted?" NOW I know that it only targets specific files in /Users and yes I agree, @rtrouton, FileVault isn't meant to protect against malware.

0 Kudos
Reply

taugust04
Valued Contributor

Posted on ‎03-07-2016 06:05 AM

I wish Apple release who owned the valid certificate for KeRanger. That developer account has to be linked back to someone!

0 Kudos
Reply

bentoms
Release Candidate Programs Tester

Posted on ‎03-07-2016 08:38 AM

I posted a detection & clean up method here.

Sorry @donmontalvo, but the above is not enough.

0 Kudos
Reply

Chris_Hafner
Valued Contributor II

Posted on ‎03-07-2016 09:56 AM

@bentoms Nice work!

0 Kudos
Reply

donmontalvo
Esteemed Contributor III

Posted on ‎03-07-2016 11:41 AM

@bentoms It gives you something to target, if the paths exist, delete, would even make it a cached for offline use policy. ;)

--
https://donmontalvo.com
0 Kudos
Reply

jhuls
Contributor III

Posted on ‎03-07-2016 01:08 PM

@AVmcclint I'm no expert on File Vault but my understanding is that while the files are encrypted, they are unlocked once the password is entered. If they're unlocked, it would seem that anything could edit or encrypt said files.

0 Kudos
Reply

donmontalvo
Esteemed Contributor III

Posted on ‎03-10-2016 01:45 PM

Holy cow @bentoms I finally had a chance to read your blog regarding this exploit...excellent article!!!

--
https://donmontalvo.com
0 Kudos
Reply

benshawuk
New Contributor III

Posted on ‎03-11-2016 02:52 AM

Thanks @bentoms . Great script.
Hopefully that and Sophos will eliminate any infections. Particularly frightening that it targets /Volumes ..

0 Kudos
Reply