- Threat Encyclopedia
- Malware
- RANSOM_KERANGER.A
OSX
Downloaded from the Internet, Dropped by other malware
This malware was involved in the March 2016 compromise of a popular bittorent client website, where it was passed off as a legitimate upgrade installer. The first ransomware to exclusively target OSX machines, users affected by this malware may find their important files and documents useless and unopenable.
To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain websites to send and receive information.
1269584 bytes
Mach-O
UPX
Yes
Encrypts files
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
It drops the following component file(s):
Other Details
This Trojan connects to the following website to send and receive information:
It renames encrypted files using the following names:
NOTES:
It encrypts the files found in the following directories:
It encrypts all files found in the /Users/ directory.
It encrypts the files in the /Volumes/ directory that contain the following file extensions:
It drops the ransom note on directories where it is able to encrypt files.
Its ransom note is saved using the following names:
The contents of the ransom note is downloaded from the C&C server.
The contents of the ransom note, as of this writing, contains the following:
9.800
Step 1
Scan your computer with your Trend Micro product to delete files detected as RANSOM_KERANGER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 2
Restore encrypted files from backup.