Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum
Profile

Back to news

Files compromised by ransomware Trojan for OS X can be decrypted by Doctor Web

March 11, 2016

At the beginning of March, numerous mass media, websites, and blogs announced about the emergence of the first ever ransomware for Mac computers. Doctor Web specialists examined this malicious program, which was named Mac.Trojan.KeRanger.2, and they have developed a method that can help to decrypt files affected by this Trojan.

Mac.Trojan.KeRanger.2 was first detected in a compromised version of the installer for a popular OS X torrent client that was distributed as a DMG file. The malicious application was signed with a valid Mac app development certificate. Thus, this program successfully bypassed Apple’s Gatekeeper protection.

Once Mac.Trojan.KeRanger.2 is installed on the infected computer, it waits for three days before connecting to the C&C server over the TOR network. Then it starts the encryption procedure. First, the Trojan encrypts all files that it can access with the help of either user or root privileges. Mac.Trojan.KeRanger.2 then tries to encrypt the contents of the /Volumes logical partition—that is, files stored on a hard drive and on mounted logical partitions. In that case, files are encrypted according to the Trojan’s certain list that contains 313 different file types including text files and images. The Trojan downloads an encryption key and a file with cybercriminals’ demands from the server. This ransomware program can be recognized by the fact that it appends all encrypted files with the “.encrypted” extension and plants the “README_FOR_DECRYPT.txt” file into all directories.

Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware.

If you have fallen victim to Mac.Trojan.KeRanger.2, follow the guidance below:

  • Notify the police.
  • Do not, under any circumstances, attempt to change the contents of directories with encrypted files.
  • Do not delete any files from the computer.
  • Do not try to restore the encrypted data by yourself.
  • Contact Doctor Web technical support (free decryption service is only available to users who have purchased commercial licenses for Dr.Web products).
  • Attach a file encrypted by the Trojan to the request ticket.
  • Wait for a response from technical support. Due to a large number of requests, it may take some time.

Once again, we would like to point out that free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. For information how to submit a decryption request, please follow this link. Doctor Web cannot guarantee that all your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.

More about this Trojan

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040