You know what’s missing from your workday? Losing access to a number of your key files after accidentally downloading some ransomware. Nothing makes the day go smoother than receiving a message, telling you to pay the Bitcoin ransom if you want to get your files back.
Unfortunately, that was the reality for some users who’d downloaded Transmission BitTorrent Installer. This software for MacOS X (Linux version available, bundled with Ubuntu) doesn’t take up a lot of space so it runs in the background to install torrents quickly. It can even be operated remotely via the web. Sadly, versions of the software that were downloaded anytime on March 4th and 5th may have also been infected with KeRanger ransomware.
First discovered by Palo Alto Networks, this ransomware was found on two versions of Transmission 2.90. Since Transmission is a fully open-source project, the researchers have speculated that the download website itself was compromised.
According to their post on KeRanger by Claud Xiao and Jin Chen, the ransomware encrypts individual files to lock you out of them, a process that they’ll undo for a fee. The encryption process itself is pretty slick:
“To encrypt each file, KeRanger starts by generating a random number (RN) and encrypts the RN with the RSA key retrieved from the C2 server using the RSA algorithm. It then stores the encrypted RN at the beginning of resulting file. Next, it will generate an Initialization Vector (IV) using the original file’s contents and store the IV inside the resulting file. After that, it will mix the RN and the IV to generate an AES encryption key. Finally, it will use this AES key to the contents of the original file and write all encrypted data to the result file.”
But be warned: further investigation into the mechanism behind KeRanger uncovered an alarming feature, namely that it looked like there were processes involved that hadn’t been completed. Undetected, it’s possible these features could have been activated at a later date.
“It seems like KeRanger is still under development. There are some apparent functions named ‘_create_tcp_socket’, ‘_execute_cmd’ and ‘_encrypt_timemachine’. Some of them have been finished but are not used in current samples. Our analysis suggests the attacker may be trying to develop backdoor functionality and encrypt Time Machine backup files as well. If these backup files are encrypted, victims would not be able to recover their damaged files using Time Machine.”
Fortunately, Transmission’s developers have released a new version that fixes this vulnerability. For those who may already have been infected, Palo Alto Networks has complete clean up instructions here.