Slashdot Mirror

← Back to Stories (view on slashdot.org)

KeRanger Mac Ransomware Based On Linux Forebear, Not Windows

Posted by timothy on from the at-your-disservice dept.

An anonymous reader writes: It appears that the KeRanger ransomware that's been tormenting Mac users for the past days is actually based on a ransomware variant that targets Linux servers, and not on a ransomware family coming from Windows. That particular Linux ransomware is also based on an open-source ransomware called Hidden Tear that was uploaded to GitHub by a Turkish security researcher. So obviously, the conclusion is that GitHub is to blame for the KeRanger Mac ransomware. (Note to readers: That last bit is tongue in anonymous cheek.)

14 of 77 comments (clear)

  1. Is that surprising? by Harlequin80 · · Score: 3, Insightful

    I would have assumed that it would have come from a Linux or BSD based one rather than a windows one.... The systems are much closer than windows to mac.

    Or am I being overly simplistic?

  2. Re:Well Duh Max OS is Based on Linux by nawcom · · Score: 3, Informative

    Mac OS X was based on NeXTSTEP which predates Linux, and NeXTSTEP was based on 4.3FreeBSD and CMU Mach.

  3. Uhh? by easyTree · · Score: 3, Funny

    This appears to be a doubly-impossible scenario as both Linux and Mac are secure by default.

    --
    Requiem for the American Dream
    1. Re:Uhh? by fermion · · Score: 2
      To take this bit seriously, not secure by default, but the mac use case is not the same for as many MS Window users.

      For example, most of my work is continuously backed up to iCloud and Dropbox. iCloud for Apple Apps, and Dropbox for LaTex, Python and other stuff. My computers are backed up by Time Machine, especially my photography machine.

      It would seem for most stuff, a simple wipe and restore would fix the problem. I suppose for some enterprise customers it would be a problem, but it people are not making incremental backup of machines, this really is a bigger issue than malware. These people are one disk failure away from oblivion even without malware.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
    2. Re:Uhh? by _merlin · · Score: 2

      People have been using vulnerabilities in CMS and forum software (and their plugins) to attack web and mail servers with this ransomware. I know it's hit some schools and small companies.

  4. 2016 is the year of the Linux desktop by Anonymous Coward · · Score: 2, Funny

    Because someone has finally figured out how to make money using Linux!

  5. Linux ransomware torments Mac users? by tetraverse · · Score: 2

    How does this 'Linux ransomware' get onto the computer without the end user visiting a malicious site and explicidly downloading and installing the program?

    1. Re: Linux ransomware torments Mac users? by samkass · · Score: 3, Informative

      In this case, by someone hacking the installer to a BitTorrent client, hacking the server that distributes it, and signing it with a valid Apple developer cert and swapping their version in. Then hoping no one notices until the few days pass before it does its job and triggers. That last part didn't happen. Apple patched the built-in anti-malware, the company released a new version that removes the malware, and it was only downloaded about 6,500 times before disappearing. Unless any of those machines stayed completely off the internet in that time, it probably didn't strike anyone in the wild. That's what bein "tormented" by a Trojan Horse looks like on the Mac.

      --
      E pluribus unum
    2. Re: Linux ransomware torments Mac users? by rworne · · Score: 2

      Hacking the installer?

      I thought the binary itself was infected (well the app bundle) that required just the app dropped from the dmg file onto the system and executed.

      Programs like transmission do not need installers. Anyone looking to put a simple utility on their system should look at .pkg installer files with a great deal of suspicion.

      --
      I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
  6. Re:Note to readers: That last bit is tongue in che by TheRealHocusLocus · · Score: 3, Interesting

    No it isn't, it's editorialising. And it's inappropriate.

    No it isn't, it's a clarification. Wording a bit

    "(Note to readers: That last bit is tongue in anonymous cheek.)"
    The phrase 'tongue in cheek' is an idiom meaning in (sarcastic or ironic) jest that risks being misunderstood if it is broken up. Could also have been worded,
    "(Note to readers: That last bit is anonymous' tongue-in-cheek.)"

    The real problem is that anonymous wrote a summary as a series of factual sentences --- but then added a sarcastic comment at the end in the same style, so there is no clear cue that it is a sarcastic comment. I figured it out by what was said and empathizing with the writer, but editors strive for clarity, even if they feel the need to interrupt your flow by adding a comment of their own. Try to make the editor's job easier. Try this, anonymous,

    "[...] uploaded to GitHub by a Turkish security researcher. So... obviously, the conclusion is that GitHub is to blame [...]"

    You have two tone-changers that set the sarcasm aside, even bring attention to it. "So..." is a pause-for-irony that cues readers that they are now listening to the author's voice, and italics underscore the tone change. You can also add ", right?" to make sarcasm crystal clear. So... now that fucktard blowhard Hocus is giving style advice, right?

    what to you think will generate more traffic? being a part of the technology community, or garbage that makes people angry?

    What if we're talking about discussion, not website traffic? Isn't that a community? And what if technology itself contains a lot of garbage that makes people angry?

    Like dumbfuck LED indicators on modern tech devices that are supposed to indicate network and disc access, but blink late, on simple blink-on-blink-off timers, extended by capacitors until tiny blips disappear, on by default to add useless 'glow' to your room and dim (slowly) to indicate activity (fuck that shit). Or completely software driven so the indication is late or bogus. Like my AT&T Uverse modem which is the stupidest modem in the world with indicators as useless as CSS 'Loading...' animation on web pages, noise and fury signifying nothing. The modem can completely lock up while the front panel still shows the useless thumb-sucking blinky-state the software left it in. Like no one wants to lay down a single PCB trace from controller chip to LED anymore, it's too... fucking... difficult.

    That's garbage. And Slashdot is the place to discuss it.

    --
    <blink>down the rabbit hole</blink>
  7. Re:Note to readers: That last bit is tongue in che by phishybongwaters · · Score: 2

    I feel sad you needed to take the time to craft that post. But I do hope a lot of people read it.

  8. Re:Rules by geekmux · · Score: 2

    The first rule of getting infected by ransomware is you do not fund the criminals. The second rule of getting infected by ransomware is YOU DO NOT FUND THE CRIMINALS.

    The FIRST rule of ransomware is understanding that you own a computing device capable of connecting to the internet. Therefore, you should fucking know what the word backup means.

    Failure of that basic rule will ensure that you will be forced to make hard decisions about funding criminals when no one should be forced to even question that in the first place.

  9. Re:Well Duh Max OS is Based on Linux by Anonymous Coward · · Score: 3, Funny

    No, he meant the doctor. Have you tried to look through his family tree? It's impossible, you can't find anything, it's almost as if he's a fictional character.

  10. Re:Well Duh Max OS is Based on Linux by imboboage0 · · Score: 2

    https://xkcd.com/1589/

    Problem solved.

    --
    Honesty may be the best policy, but by process of elimination, dishonesty is the second best policy.