RANSOM_KERANGER.A
OSX
Threat Type: Trojan
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This malware was involved in the March 2016 compromise of a popular bittorent client website, where it was passed off as a legitimate upgrade installer. The first ransomware to exclusively target OSX machines, users affected by this malware may find their important files and documents useless and unopenable.
To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It connects to certain websites to send and receive information.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following files:
- ~/Library/.kernel_complete
- ~/Library/.kernel_time
- ~/Library/.kernel_pid
It drops the following component file(s):
- ~/Library/kernel_service (detected as Ransom_KeRanger.A)
Other Details
This Trojan connects to the following website to send and receive information:
- {BLOCKED}6kvohlkcml.onion.link
- {BLOCKED}6kvohlkcml.{BLOCKED}n.nu
- {BLOCKED}mea723xyaz.{BLOCKED}n.link
- {BLOCKED}mea723xyaz.{BLOCKED}n.nu
- {BLOCKED}ok7oz5kjoc.{BLOCKED}n.link
- {BLOCKED}k7oz5kjoc.{BLOCKED}n.nu
It renames encrypted files using the following names:
- {original filename}.encrypted
NOTES:
It encrypts the files found in the following directories:
- /Users/
- /Volumes/
It encrypts all files found in the /Users/ directory.
It encrypts the files in the /Volumes/ directory that contain the following file extensions:
- .3dm
- .3ds
- .3g2
- .3gp
- .7z
- .ab4
- .accdb
- .accde
- .accdr
- .accdt
- .ach
- .acr
- .act
- .adb
- .ads
- .ai
- .ait
- .al
- .apj
- .arw
- .asf
- .asm
- .asp
- .asx
- .avi
- .back
- .backup
- .bak
- .bank
- .bay
- .bdb
- .bgt
- .bik
- .bkf
- .bkp
- .blend
- .bpw
- .c
- .cdb
- .cdf
- .cdr
- .cdx
- .ce1
- .ce2
- .cer
- .cfp
- .cgm
- .class
- .cls
- .cmt
- .cnv
- .cpi
- .cpp
- .cr2
- .craw
- .crt
- .crw
- .cs
- .csh
- .csl
- .csv
- .dac
- .db
- .db3
- .dbf
- .dbr
- .dbs
- .dc2
- .dcr
- .dcs
- .dcx
- .ddd
- .ddoc
- .dds
- .der
- .des
- .design
- .dgc
- .djvu
- .dng
- .doc
- .docm
- .docx
- .dot
- .dotm
- .dotx
- .drf
- .drw
- .dtd
- .dwg
- .dxb
- .dxf
- .dxg
- .ebd
- .edb
- .eml
- .eps
- .erf
- .exf
- .fdb
- .ffd
- .fff
- .fh
- .fhd
- .fla
- .flac
- .flv
- .fm
- .fp7
- .fpx
- .fxg
- .gdb
- .gray
- .grey
- .grw
- .gry
- .h
- .hbk
- .hpp
- .ibd
- .idx
- .iif
- .indd
- .java
- .jpe
- .jpeg
- .jpg
- .kdbx
- .kdc
- .key
- .laccdb
- .lua
- .m
- .m4v
- .maf
- .mam
- .maq
- .mar
- .maw
- .max
- .mdb
- .mdc
- .mde
- .mdf
- .mdt
- .mef
- .mfw
- .mmw
- .mos
- .mov
- .mp3
- .mp4
- .mpg
- .mpp
- .mrw
- .mso
- .myd
- .ndd
- .nef
- .nk2
- .nrw
- .ns2
- .ns3
- .ns4
- .nsd
- .nsf
- .nsg
- .nsh
- .nwb
- .nx1
- .nx2
- .nyf
- .obj
- .odb
- .odc
- .odf
- .odg
- .odm
- .odp
- .ods
- .odt
- .oil
- .one
- .orf
- .otg
- .oth
- .otp
- .ots
- .ott
- .p12
- .p7b
- .p7c
- .pages
- .pas
- .pat
- .pbo
- .pcd
- .pct
- .pdb
- .pdd
- .pef
- .pem
- .pfx
- .php
- .pip
- .pl
- .plc
- .pot
- .potm
- .potx
- .ppam
- .pps
- .ppsm
- .ppsx
- .ppt
- .pptm
- .pptx
- .prf
- .ps
- .psafe3
- .psd
- .pspimage
- .ptx
- .pub
- .puz
- .py
- .qba
- .qbb
- .qbm
- .qbw
- .qbx
- .r3d
- .raf
- .rar
- .rat
- .raw
- .rdb
- .rm
- .rtf
- .rwz
- .sas7bdat
- .say
- .sd0
- .sda
- .sdf
- .snp
- .sql
- .sr2
- .srf
- .srt
- .srw
- .st4
- .st5
- .st6
- .st7
- .st8
- .stc
- .std
- .sti
- .stw
- .stx
- .svg
- .swf
- .sxc
- .sxd
- .sxg
- .sxi
- .sxm
- .sxw
- .tex
- .tga
- .thm
- .tlg
- .txt
- .vob
- .vsd
- .vsx
- .vtx
- .wav
- .wb2
- .wbk
- .wdb
- .wll
- .wmv
- .wpd
- .wps
- .x11
- .x3f
- .xla
- .xlam
- .xlb
- .xlc
- .xlk
- .xll
- .xlm
- .xlr
- .xls
- .xlsb
- .xlsm
- .xlsx
- .xlt
- .xltm
- .xltx
- .xlw
- .xpp
- .xsn
- .yuv
- .zip
- .tar
- .tgz
- .gzip
- .tib
- .sparsebundle
It drops the ransom note on directories where it is able to encrypt files.
Its ransom note is saved using the following names:
- README_FOR_DECRYPT.txt
The contents of the ransom note is downloaded from the C&C server.
The contents of the ransom note, as of this writing, contains the following:
SOLUTION
Step 1
Scan your computer with your Trend Micro product to delete files detected as RANSOM_KERANGER.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 2
Restore encrypted files from backup.
Did this description help? Tell us how we did.