It appears that the KeRanger Mac ransomware has roots in Linux, not Windows, as many were expecting to. A big surprise was revealed today by security researchers from Romanian antivirus company Bitdefender, who claim that the KeRanger Mac ransomware that appeared last weekend is actually a rewrite of the ransomware variant that’s been plaguing Linux servers for the past five months.
After going through their regular procedures of looking at all new threats that their security products come across on a daily basis, the Bitdefender malware analysis team discovered an interesting tidbit.
By taking a close look at the KeRanger disassembly, Bitdefender’s staff spotted a lot of functions that bore a similar name to something they’ve seen before, in the Linux.Encoder Linux ransomware.
Linux.Encoder targeted Linux servers, was built from an open-source ransomware project
Linux.Encoder is ransomware family that was first discovered by Dr.Web, a Russian antivirus company last November. The ransomware only targeted Linux machines and looked to encrypt files specific to Web servers and source code repositories.
Later on, it was discovered that Linux.Encoder was based on the Hidden Tear ransomware family, open-sourced and uploaded on GitHub by Turkish security researcher Utku Sen.
Taking into account that Bitdefender was the first security company that cracked Linux.Encoder‘s encryption, over and over again, and the company has a history ofpublicly shaming the ransomware’s coders, their opinion carries more weight than other overnight Mac ransomware specialists that seem to have come out of the woodwork these days.
KeRanger and Linux.Encoder share a lot of code
“The encryption functions are identical and have same names: encrypt_file, recursive_task, currentTimestamp and createDaemon to only mention a few. The encryption routine is identical to the one employed in Linux.Encoder,” explained Catalin Cosoi, Chief Security Strategist at Bitdefender.
Bitdefender’s Senior E-Threat Analyst Bogdan Botezatu is suggesting two scenarios of how this might have happened. Either the Linux.Encoder developer decided to expand the code to support Mac on his own, or he may have licensed the code to another cybercrime group specialized in Mac OS X systems.
Furthermore, the company is saying that KeRanger is a very close copy of Linux.Encoder.4, but ported for Mac architectures. Linux.Encoder.4 surfaced at the beginning of the year after Linux.Encoder.3 failed miserably and has continued to wreck havoc among website owners.
As far as we know, there’s no Bitdefender decryption tool for Linux.Encoder.4, but we have contacted Bitdefender, and we’ll update the post with a link if there is one.
Comparison between KeRanger and Linux.Encoder disassemblies