Table of Contents
KeRanger Ransomware Explained
KeRanger Ransomware is a type of malicious software or malware, specifically a ransomware. It is categorized as such because it infiltrates a system, encrypts files, and then demands a ransom in exchange for the files’ decryption key. One of the most distinct traits about KeRanger is that it is one of the first known ransomware variants that specifically targeted MacOS. It was discovered in 2016, when it was transported via a tampered version of Transmission, a BitTorrent client.
Infiltration and Operation of KeRanger Ransomware
KeRanger typically infiltrates a system through a compromised version of distinct software, for instance, the Transmission application. Upon introduction into the system, it remains dormant for about three days. During this time, it connects to the command and control servers from the attacker to retrieve keys for encryption. After the three-day dormancy period, the ransomware begins encrypting files stored in the system.
Use of 2048-bit RSA Encryption
KeRanger ransomware uses the RSA-2048 encryption algorithm, a highly secure commercial-grade encryption system. When applied, the algorithm encrypts the files, making them inaccessible without the decryption key. It's important to note that cracking the RSA-2048 encryption is incredibly complex and practically impossible, making the data recovery process without the unique decryption key extremely challenging for affected individuals or organizations.
Addition of “.encrypted” Extension on Encrypted Files
A unique characteristic of KeRanger is the modification of the file names of the encrypted documents. After encrypting each file, the ransomware adds an ".encrypted" file extension to each. Thus, a JPEG file titled "familyphoto," for example, would appear as "familyphoto.encrypted." This extension serves as visible evidence of the files that have been affected by KeRanger's encryption.
Ransom Aspect of KeRanger
As its categorization suggests, the underlying purpose of KeRanger ransomware is to extort money from the victims. After infiltrating a system and encrypting its files, the ransomware then demands payment from the user for the decryption key.
Creation and Content of README_FOR_DECRYPT.txt File
KeyRanger creates a text file named "README_FOR_DECRYPT.txt" and places it in every included directory. This document contains detailed instructions from the attacker about the ransom payment and decryption process. It provides the user with details of the encryption and information on how to pay the ransom, which is usually in anonymous Bitcoin to shield the attacker's identity.
Decrypting One File for Free
To prove its ability to decrypt data, KeRanger offers to decrypt one chosen file for free. This strategy aims to build trust with the victim and convince them of the feasibility of file recovery upon making payment. However, cybersecurity experts warn that payment doesn't always guarantee successful decryption or the return of the files.
Absence of Third-Party Tools to Decrypt
Despite numerous concerted efforts, no third-party tool or application currently exists that can decrypt files encrypted by the KeRanger ransomware. This absence of decryption tools further increases the difficulty in data recovery and reinforces the importance of preventive measures, such as regular backup of vital data and maintaining reliable cybersecurity defenses.
KeRanger Compared to Other Ransomware
Ransomware as a form of malware has many different types and variants, and while they all share a common goal—extorting money by encrypting files—how they go about achieving this varies. KeRanger does share some similarities with other notable ransomware, such as CryptoLocker, TeslaCrypt, and Locky, yet also differs in several aspects.
Similarities to Other Notable Ransomware Such as CryptoLocker, TeslaCrypt, Locky
Like KeRanger, CryptoLocker, TeslaCrypt, and Locky are ransomware types known for infiltrating systems, encrypting files, and demanding a ransom for the decryption key. Their similar operation style involves attacks on both individual and commercial systems, causing substantial harm to personal data and enterprise infrastructure alike. All these ransomware types typically distribute through phishing campaigns, exploit kits, or contaminated websites.
Differences in Encryption Algorithm and Ransom Amount
While CryptoLocker, TeslaCrypt, and Locky employ strong encryption technologies, the RSA-2048 algorithm deployed by KeRanger is particularly robust and challenging to break. Additionally, the demanded ransom fees differ among these ransomware types. For instance, CryptoLocker typically demands $400, TeslaCrypt around $500 while Locky averages $400 to $800, which is lower than the one to four Bitcoin range often demanded by KeRanger.
Common Distribution Methods
Most of the ransomware types, including KeRanger, mainly distribute through malicious email attachments and compromised websites. However, KeRanger differentiates itself as it was initially spread through a tainted installer of the Transmission BitTorrent client. This distribution method targeted MacOS users, setting KeRanger apart from the majority of ransomware that primarily focuses on Windows operating systems.
Steps to Address KeRanger
Handling a ransomware attack like KeRanger involves several key steps. These actions range from identifying the ransomware to taking preventive measures, to following the advised procedure for post-infection dealings. It's worth noting that each ransomware has its unique attributes, thus requiring a somewhat distinct approach to address it.
KeRanger’s Origin as a Rewrite of a Linux.Encoder Ransomware
KeRanger is believed to be a rehashed version of a previous ransomware, namely, the Linux.Encoder. Identifying its origin is beneficial as it helps in understanding its potential weaknesses and developing effective countermeasures. It's worth noting that most protection and remediation measures against Linux.Encoder could be effective against KeRanger.
File Names Associated with KeRanger and Types Targeted by It
KeRanger is known to create and drop several harmful files post-infiltration. Files such as "keranger.a," and "keranger.plist" are among these, and they're usually located in the directory "/Applications/Transmission.app/Contents/Resources/." KeRanger primarily targets document types, images, audio/video files, archives, and databases. Identifying these key files can help in taking appropriate action towards removing the ransomware.
Updating and Upgrading for Malware Removal
For individuals who have inadvertently downloaded a compromised Transmission installer with the KeRanger, updating or upgrading the software is key. Transmission Project has released additional versions that not only remove the KeRanger ransomware but also patch the vulnerability, preventing future attacks. Furthermore, it is important to scan the system with a reliable security program to remove any lingering elements of the ransomware.
Warnings Against Paying the Ransom
Cybersecurity experts strongly advise against paying the ransom demanded by KeRanger or any other ransomware. Besides potentially encouraging cybercriminals to continue with such illicit activities, there's no guarantee that payment will result in the retrieval of the encrypted files. As such, focusing on removal and prevention is the advised approach to dealing with this ransomware.
