March 11, 2016
Mac.Trojan.KeRanger.2 was first detected in a compromised version of the installer for a popular OS X torrent client that was distributed as a DMG file. The malicious application was signed with a valid Mac app development certificate. Thus, this program successfully bypassed Apple’s Gatekeeper protection.
Once Mac.Trojan.KeRanger.2 is installed on the infected computer, it waits for three days before connecting to the C&C server over the TOR network. Then it starts the encryption procedure. First, the Trojan encrypts all files that it can access with the help of either user or root privileges. Mac.Trojan.KeRanger.2 then tries to encrypt the contents of the /Volumes logical partition—that is, files stored on a hard drive and on mounted logical partitions. In that case, files are encrypted according to the Trojan’s certain list that contains 313 different file types including text files and images. The Trojan downloads an encryption key and a file with cybercriminals’ demands from the server. This ransomware program can be recognized by the fact that it appends all encrypted files with the “.encrypted” extension and plants the “README_FOR_DECRYPT.txt” file into all directories.
Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware.
If you have fallen victim to Mac.Trojan.KeRanger.2, follow the guidance below:
- Notify the police.
- Do not, under any circumstances, attempt to change the contents of directories with encrypted files.
- Do not delete any files from the computer.
- Do not try to restore the encrypted data by yourself.
- Contact Doctor Web technical support (free decryption service is only available to users who have purchased commercial licenses for Dr.Web products).
- Attach a file encrypted by the Trojan to the request ticket.
- Wait for a response from technical support. Due to a large number of requests, it may take some time.
Once again, we would like to point out that free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. For information how to submit a decryption request, please follow this link. Doctor Web cannot guarantee that all your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.