Dr.Web security researchers say they can recover files. Dr.Web, a Russian-based antivirus maker, has announced it found a method of unlocking files encrypted by the KeRanger Mac ransomware which appeared last weekend.
If you haven’t been keeping up with the news, here’s a short recap. Last Sunday, US-based security firm Palo Alto Networks announced it detected the first fully-functional Mac ransomware.
A hacker managed to breach the website of the Transmission project, a BitTorrent client and replaced the legitimate Mac client with one contaminated with KeRanger.
It was later discovered that only around 6,500 users downloaded the infected client. This came to light in the past days, but not before it caused anxiety among all Mac users and generated panicky headlines all across the Internet.
Romanian antivirus maker Bitdefender later discovered that KeRanger was a variation of the Linux-based ransomware family named Linux.Encoder.
Despite providing decryption tools for Linux.Encoder in the past, Bitdefender did not provide one for KeRanger. The other company that provided decryptors for Linux.Encoder was Dr.Web, the company that discovered the Linux ransomware in the first place.
Dr.Web will provide a decrypter, but only for paying customers
In a statement on its website, Dr.Web officials are now saying that they are able to decrypt KeRanger. “Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware,” says the antivirus maker.
According to the Dr.Web spokesperson, the company will provide KeRanger decryption support only for users who have purchased commercial licenses for Dr.Web products.
Taking into account that KeRanger had a three-day sleeping period before it initiated and that antivirus products provided detection and removal tools, very few users were affected.
Since the ransomware asked for 1 Bitcoin (~$400 / €360) and a Dr.Web license goes for $32 / €28 and up, most users will probably try Dr.Web’s decrypter before paying up the ransom.
Softpedia has not tested Dr.Web’s decrypter and cannot vouche for the AV maker’s claims.