KeRanger Mac Ransomware Flaw May Allow Recovery of Files

A few days ago, KeRanger, the first Mac ransomware found in the wild was discovered. Now, according to researchers from antivirus firm Bitdefender, KeRanger turned out to be based on a previous piece of ransomware known as Linux.Encoder, which emerged late last year, targeting Linux-based web servers.

The advantage to this is that Linux.Encoder possessed flaws in its cryptographic implementation for at least the first three versions, which allowed Bitdefender’s researchers to develop tools that could decrypt the files affected by the malware. According to Bogdan Botezatu, senior e-threat analyst at Bitdefender, even the latest version of Linux.Encoder (4), has the same flaws that affected the previous versions.

“The infected Mac OS X torrent client update analyzed by Bitdefender Labs looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers since the beginning of 2016,” Bitdefender researchers stated in a blog post published on Tuesday. The result of this is that KeRanger also contains the same broken cryptographic implementation.

Bitdefender is yet to publish a tool able to decrypt KeRanger affected files, however, development of such a tool is under consideration, should the demand be sufficient.

The purpose behind KeRanger still remains to be seen, considering the great lengths that those responsible for it have gone to, including stealing a legitimate Apple developer’s certificate and hacking into a popular and trusted open source project’s website, if the ransomware they were distributing had such a crucial known weakness. Whether a newer, more dangerous version of KeRanger will appear in the future could be quite likely, however, those affected by its current iteration should be thankful that this incident was not more serious.