Security researchers revealed that the newly-created KeRanger Mac ransomware is actually a rewrite of the ransomware variant that’s been plaguing Linux servers during the past five months.
After making detailed analysis on KeRanger, the malware experts found out an interesting tidbit.The researchers noticed many functions which bore a similar name to something they’ve seen before, in the Linux.Encoder Linux ransomware.
Linux.Encoder is ransomware family, which was discovered by a Russian antivirus company in November, 2015. The ransomware only targeted Linux machines and encrypted files specific to Web servers and source code repositories.
The Linux.Encoder was based on the Hidden Tear ransomware family, open-sourced and uploaded on GitHub by Turkish security researcher Utku Sen.
Considering the fact that Bitdefender was the first security company which cracked Linux.Encoder’s encryption, and the fact that this company has a history of public shaming the ransomware’s coders, their opinion carries more weight than other overnight Mac ransomware specialists.
“The encryption functions are identical and have same names: encrypt_file, recursive_task, currentTimestamp and createDaemon to only mention a few. The encryption routine is identical to the one employed in Linux.Encoder,” the chief security strategist Catalin Cosoi explained.
Senior E-Threat Analyst Bogdan Botezatu is suggesting two scenarios of how this might have happened. Either the Linux.Encoder developer decided to expand the code to support Mac on his own, or he may have licensed the code to another cybercrime group specialized in Mac OS X systems. The researchers also claim that KeRanger is rather similar to Linux.Encoder.4, but ported for Mac architectures.
Linux.Encoder.4 appeared at the beginning of this year, after Linux.Encoder.3 failed miserably and has continued to wreak havoc among website owners.
Currently, no decryption tool for Linux.Encoder.4 has been created.
