Apple OS X Affected By The First Extortionist

Apple OS X Affected By The First Extortionist

Palo Alto Networks specialists have discovered the first real ransomware for Apple OS X. The malicious program is called KeRanger and is detected by our antivirus products like OSX / Filecoder.KeRanger.A. KeRanger is a type of crypto-ransomware or file code and specializes in encryption of user files with further demand for redemption for decryption.

To spread the malicious program, attackers have chosen an effective way to compromise software distributions called Transmission for OS X. This program is a simple freeware BitTorrent client. A few days ago, two distributions of Transmission v2.90 were compromised by KeRanger and distributed on the official website of the client. Since Transmission is free software, attackers could simply compile a special backdoored version and replace it with the development server. In addition, the compromised distribution was signed by a legitimate digital developer certificate for Mac.

The compromised distribution of Transmission on the official website. (Palo Alto Networks data)


As we already mentioned, both compromised distributions were signed by a legitimate digital certificate that was issued by Apple. The developer ID in this digital certificate is “POLICE PAINT INDUSTRY AND TRADE INC. (Z7276PX673)”, which is different from the similar identifier used to sign the previous legitimate versions of Transmission.

The compromised distribution contains an additional file called General.rtf, located on the path. This file is an executable of the Mach-O format, but the icon for the RTF document is used to mask it. The executable file is packed using UPX version 3.91. When the user launches infected distributions for execution, the built-in legitimate Application will copy the General.rtf file to the ~ / Library / kernel_service location and execute the “kernel_service” file before the user starts working with the GUI.

Icons of malicious objects in the distribution. (Palo Alto Networks data)

Since the file is provided with a legitimate digital signature, a malicious program can successfully bypass the Apple Gatekeeper security software scan. After installing the compromised application, the malicious code is activated on the user’s computer. After that, KeRanger waits for three days before the first connection with its C & C server manager, using anonymous Tor network. This trick masks the presence of the extortionist after a direct compromise of the user.

After connecting to the C & C, KeRanger initiates the process of encrypting certain types of user files on the computer. To decrypt files, attackers require a ransom of one bitcoin (about $ 400). In addition, KeRanger attempts to encrypt backup files to prevent the user from recovering their data from them.


Information about the digital signature of a malicious distribution. The files were signed on March 4th. (Palo Alto Networks data)

As the mentioned General.rtf, which specializes in file encryption and random requirements. (Palo Alto Networks data)


The KeRanger code executes the mentioned General.rtf, which specializes in file encryption and random requirements. (Palo Alto Networks data)

The malicious program specializes in encryption of more than three hundred file types, including the following:

  • Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex
  • Images: .jpg, .jpeg
  • Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac
  • The archives: .zip, .rar., .tar, .gzip
  • Source code: .cpp, .asp, .csh, .class, .java, .lua
  • Databases: .db, .sql
  • Emails: .eml
  • Certificates: .pem
A request for redemption, which was obtained by the extortioner from the C & C server. (Palo Alto Networks data)

Encrypted KeRanger files receive an additional .encrypted extension to an already existing name. To encrypt files, a procedure is used that is similar to the cryptographers for Windows, that is, symmetric AES algorithms and asymmetric RSA encryption are used. The encryption function is listed below. To decrypt the files, you need to get a private RSA key, with which you can decrypt the symmetric AES key stored in the body of each file.

The function of file encryption using AES.



The digital certificate used to sign malicious files has already been withdrawn by Apple, and Gatekeeper security software already detects KeRanger files. The authors of the Transmission Project were also notified of the incident and the compromised distributions were removed from the server. Apple added KeRanger signatures to its XProtect security tool, with the corresponding update automatically receiving poppies.