Ransomware is a growing threat to computer users worldwide, and while it has been more commonly associated with Windows systems, KeRanger Ransomware represents a notable example of this malicious software targeting Mac operating systems. Understanding what KeRanger Ransomware is, what it does to your files, and how to respond to such threats is crucial for maintaining your data’s security.
KeRanger Ransomware: A Dormant Threat
One of the distinctive features of KeRanger Ransomware is its ability to remain dormant on an infected computer for a certain period, specifically three days, before initiating its attack. This delay can catch users off guard and result in significant data loss.
Once activated, KeRanger Ransomware employs a robust encryption algorithm to encrypt the victim’s data, adding the file extension ‘.encrypted’ to each compromised file. It primarily targets specific file types, including various document formats, images, and multimedia files, making these files inaccessible to the victim. Some of the files that KeRanger Ransomware and similar infections target are:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.
The Alarming Ransom Note
The culmination of the attack is the presentation of a ransom note to the victim. KeRanger Ransomware delivers this message in the form of a text file named ‘README_FOR_DECRYPT.txt,’ which includes instructions for the victim to follow. Here’s an example of the typical ransom note message:
The KeRanger Ransomware delivers a ransom note in the form of a text file named ‘README_FOR_DECRYPT.txt,’ which contains the following message for the victim:
‘Your computer has been locked, and all your files has been encrypted with 2048-bit RSA encryption.
instruction for decrypt:
1. Go to h[tt]ps://fiwf4kwysoldpwShonlon[.]to ( IF NOT WORKING JUST DOWNLOAD TOR BROWSER AND OPEN THIS LINK: h[tt]ps://fiwf4kwysoldpwShonlon[.]onion )
2. Use 1PGaufinNcvSnYKopligaggpkynynomEof as your ID for authentication
3. Pay 1 BTC (≈407.47$) for decryption pack using bitcoins (wallet is your IP for authentication – 1PGAIMINO6NYMPN244rFkYAMMIREof)
4. Download decrypt pack and run
Also at h[tt]ps://fiwfalkwysmAdowSl.onion[.]to you can decrypt 1 file for FREE to make sure decryption is working.
Also we have ticket system inside, so if you have any questions – you are welcome.
We will answer only if you able to pay and you have serious question. IMPORTANT: WE ARE ACCEPT ONLY (!!) BITCOINS
HOW TO BUY BITCOINS:
The ransom note may also include a warning about the importance of paying promptly to avoid permanent data loss.
Dealing with KeRanger Ransomware Infection
Dealing with the aftermath of a KeRanger Ransomware infection can be a challenging and distressing experience. However, it’s crucial to remember that prevention is the best defense against ransomware. Here are some steps to take if your Mac has fallen victim to KeRanger Ransomware:
Do Not Pay the Ransom
It’s strongly discouraged to pay the ransom demanded by the attackers. There’s no guarantee that paying will result in the recovery of your files, and it only encourages cybercriminals to continue their activities.
Isolate the Infected System
Disconnect the infected Mac from any networks, both wired and wireless, to prevent the ransomware from spreading to other devices.
Backup Your Encrypted Files
While the encrypted files are inaccessible, you should keep a backup of them in case a decryption solution becomes available in the future.
Remove KeRanger Ransomware
Use a reputable and up-to-date antivirus or anti-malware program to scan and remove KeRanger Ransomware from your system.
Restore from Backup
If you have a recent backup of your files, you can restore your system to a point before the ransomware infection occurred. This will remove the encryption from your files.
Update Your Software
Ensure that all your software, including your operating system and applications, are up-to-date with the latest security patches and updates.
Practice Safe Browsing and Email Habits
Be cautious when downloading files, clicking on links, or opening email attachments. Ransomware often spreads through malicious downloads and email attachments.
Remember that ransomware attacks can be devastating, but they can often be prevented with good security practices and by maintaining up-to-date backups of your important data. Always remain vigilant and prioritize security to protect your files and your Mac from threats like KeRanger Ransomware.