KeRanger Ransomware is a newly detected infection that attacks Mac users running OS X. It is the first fully functional ransomware that affects OS X platform. The program infiltrates into computers through infected apps. Once inside, KeRanger Ransomware waits for 3 days and then connects with command and control (C2) servers over Tor network. Then it starts locking certain types of files on your system. Once it’s done, the application displays a warning on the infected system, demanding to pay 1 Bitcoin, which is around $400, if a users wants to get his files back. Here is how the message looks like:
Your computer has been locked and all your files has been encrypted with 2048-bit RSA encryption.
Instruction for decrypt:
1. Go to http://fiwf4kwysm44dpw5l.onion.to ( IF NOT WORKING JUST DOWNLOAD TOR BROWSER AND OPEN THIS LINK: http://fiwf4kwysm44dpw5l.onion.to
2. Use ****** as your ID for authentication
3. Pay 1 BTC (~407.47$) for decryption pack using bitcoins (wallet is your ID for authentication)
4. Download decrypt pack and run.–→ Also at http://fiwf4kwysm44dpw5l.onion.to you can decrypt 1 files for FREE to make sure decryption is working.
Also we have ticket system inside, so if you have any questions – you are welcome.
We will answer only if you are able to pay and you have serious question.IMPORTANT: WE ARE ACCEPT ONLY(!!) BITCOINS
HOW TO BUY BITCOINS:
http://localbitcoins.com/guides/how-to-buy-bitcoins
http://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)
We do not recommend following what it says, as the truth is, there are not guarantees KeRanger Ransomware will provide with legitimate decryption key. You should better try recovering your files from a backup, if you have one. The bad news is that KeRanger is still under development and it tries to prevent victims from recovering their back-up data by trying to encrypt Times Machine backup files too. So soon you may not even be able to recover your files from a backup.
The issue has been reported to Apple and The Transmission Project on March 4. Since then, Apple has updated XProtect antivirus signature, while the transmission Project has deleted malicious installers from its website.
Update: the decrypter is now available at here: link. You can download it for free and successfully decrypt your files.