OS X KE Ranger ransomware - if you play with dirt, you’ll get dirty

An OS X ransomware variant, called KE Ranger, has been recently detected.

According to its description, it uses two main vectors:

1. Torrents (a software called Transmission 2.90)
2. Phishing emails.

In my opinion, like I already mentioned in my previous post Bye-bye, ransomware! ACYA later!, this happens because people keep clicking whatever they see, regardless of all the breaches that keep occurring.

Any malware requires a positive action on your end. It can't infect your system, if you don't click a link, install a program, or open something you shouldn't.

Therefore, if people complied with security best practices, all these incidents wouldn't occur.

The rule to follow is very clear: any files whose source is unknown, or unsure, are untrusted and can't be run, or opened in a production environment.

If you just want, or need, to run them, do it in a virtual machine.

Physical OS X El Capitan (top) and El Capitan virtual machine (bottom). Click to enlarge.

Should something go South, your physical system will remain untouched and no consequence will result from the incident.

Using a virtual machine is a little bit like having a trip to Vegas: anything happening in the virtual machine stays there and doesn't affect your physical operating system.

Downloading torrents means knowingly exposing yourself to an infection threat.

Someone on Quora sent me a resentful comment about my negative attitude toward BitTorrent and similar tools.

According to his comment, he found useful stuff in the torrent network rather than malware.

I'm not claiming that all the p2p network is a haven for malware and cyber crime and all files you can download from there are infected by malware.

p2p was developed from a commendable idea: sharing resources between users to promote common knowledge and expertise. However, as it may happen for anything else, it was used for bad, more often than for good.

My mindset is different from his and that of other guys around: I'm a professional paranoid, as a cyber security professional/(ethical) hacker. Anything, I don't know the source of, is untrusted. At the most, I run it in a virtual machine, or I delete it right away.

All torrent software is untrusted, IMHO: I believe its variables and infection threats outweigh its possible advantages.

The reason why most security policies don't allow using this stuff in production environments is they're like Jack-in-the-box. You don't know what it can come out of there. 

Moreover, they often require for you to install Java, which you should never do. Java is one of the top vulnerability sources both for macOS, and for any operating systems.

As to email phishing links, I mark as junk and delete right away any emails for which I don't know the sender.

This is what works for me and I don't think, nor I pretend, it could work for everyone.

However, "better safe than sorry" is a golden rule in my line of work.

macOS has a system protection feature called Gatekeeper, which prevents you from installing untrusted software.

You can install untrusted software in OS X only by allowing installation from anywhere from Security & Privacy, as shown below.

Gatekeeper might not be enough to save you from malware, sadly. KE Ranger was able to bypass it, as it was signed with a valid Mac app development certificate. 

Quoting Palo Alto: 

• "Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.

• Using Activity Monitor preinstalled in macOS X, check whether any process named "kernel_service" is running. If so, double check the process, choose the "Open Files and Ports" and check whether there is a file name like "/Users/<username>/Library/kernel_service". If so, the process is KeRanger's main process. We suggest terminating it with "Quit -> Force Quit".

• After these steps, we also recommend users check whether the files ".kernel_pid", ".kernel_time", ".kernel_complete" or "kernel_service" existing in ~/Library directory. If so, you should delete them".

This situation has been already taken care of by Apple. I tried to download the infected software (Transmission 2.90) for me to play with it in my virtual lab, but it's been replaced anywhere by a new safe version (2.92) and any website providing its upload now displays letter box warnings about the older version.

However, all this confirms my point is valid. 

I refrain from installing this stuff and, should I really need it, I use a virtual machine.

I was also looking into software like DeepFreeze for Mac, which allows you to block any undesired changes and revert your system to a trusted image (no, they didn't pay for me to state this. I saw its Windows version in action in my college and I've been favorably impressed). 

If you're careless with your security, be advised bad stuff can happen to your system.

Viruses for OS X are nowhere to be found. OS X malware is mostly represented by Trojans, or the like.

With Windows, clicking the wrong file can cause real bad stuff to happen.

The worm generator I used in my virtual environment (see figure below) can compromise your system and cause serious damages. There are tools around allowing you to wrap the file created this way with other specific software, so that antivirus software doesn't detect its digital signature.

The giveaway from this post is you should take your security seriously.

You can be ruined in a second, and in so many possible ways that it's critical for you to reduce the attack surface.

Please stop clicking anything you see before it's too late.

Maybe I'm gonna shut up from now on.

Maybe :)