<

Protect Your Mac or Pay Up (OS X KeRanger)

Published on
3,766 Points
766 Views
Last Modified:
Justin Pierce, CEH, CNDA
Dream not of today. ~ Jean-Luc Picard
This is a short article about OS X KeRanger, and what people can do to get rid of it.
Imagine this: You’re editing an important document in Pages that the boss needs to have by the end of the day. Things are going great, and the music that’s softly playing in the background seems to be streaming along perfectly with each of your brillant keystrokes. Becuase you’re a professional multitasker you have your favorite BitTorrent, Transmission, downloading a few shows for the evening, and before you can think about what happened in the last episode, something happens.

A file named ‘README_FOR_DECRYPT.TXT’ appears on your desktop stating that your files are encrypted with 2048-bit RSA encryption. You begin to giggle as you pull up Finder and navigate to your Documents folder to take a peek. Immediately you stop giggling, your background music screeches to a halt, and your mouth drops open. Every file appears to have an appended “.encrypted” extension attached to it. At this point your eyes begin to widen and you take the plunge and double-click a random document (maybe the one that you’re working on for the boss) and it opens to nothing but gibberish. 

What do you do now? 

Do you pay the ransom?

First, let me state that if you haven’t downloaded Transmission, or have no idea what a BitTorrent is, you’re safe. This ransomware only affects users who have this specific application and version 2.90 of it. This means that this ransomware isn’t floating out in the ether waiting to jump on your Mac to have you pay a little over $400 (1 Bitcoin) to get your files back. 

Second, if you use Transmission check your version and if you have 2.90, then follow the steps below. If your files are encrypted because of this ransomware you can easily get rid of the virus by following the steps too:

(1) Open Terminal

(2) Open Activity Monitor

(3) In Activity Monitor look for process “Kernel_service” & the Transmission application and “force quit” them.

(4) If neither stops, look at the “PID” number next to each process and write them down or commit them to memory.

(5) In Terminal type “kill 1234” (Without quotations & replace 1234 with the number from Activity Monitor. You’ll have to do this twice because you’re stopping two different processes.)

(6) Open Finder & go to Applications

(7) Drag Transmission to the Trash can and empty it. 

After you’ve completed all the steps technically you’re done, since the virus is gone. However, there are still files lingering on your Mac from this ransomware that deal with time (the timeframe for this virus to take hold is 3 days). If you want these gone too, then follow these additional steps (remember to leave out the quotation marks when typing):

(1) Open Terminal

(2) Type “cd ~/library"

(3) Type “rm .kernel_pid”

(4) Type “rm .kernel_time"

(5) Type “rm .kernel_service"

(6) Type “rm .kernel_complete”

You may not have all of them, so don’t worry if your Mac can’t find them. After that, the files will still be encrypted so you will have to use Time Machine to pull from a backup. If you were working with Pages then most likely your documents are saved to iCloud or iCloud drive, both areas should be good to go, so don’t worry.

Lastly, as Mac malware becomes more prevalent it’s smart to protect yourself with a strong antivirus and intelligent software firewall (Intego X8 has both in one application). Intego is what I have always used and I’ve never had a problem, including Windows viruses that try to pass on when working with a Word document, since X8 can scan and quarantine those bad bits as well.

That’s it for now!

Side note: If you still trust Transmission (this really wasn't their fault) then you can update to the latest version, which gets rid of the hidden virus. 
0
Comment
1 Comment
 
LVL 15

Author Comment

by:Justin Pierce, CEH, CNDA
Hi Ericpete,

Sorry for the reference to Intego and my site. I've removed the lines that you've asked to be taken out. Again, I'm sorry for the mishap.

Thank you for your time and take care.

vr,

Justin
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Join & Write a Comment

With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Next Article:

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month