According to researchers at anti-malware outfit Bitdefender, the recent KeRanger ransomware that was smuggled into the Transmission BitTorrent client earlier this week was actually a trivial rewrite of a similar Linux trojan called Linux.Encoder. Aside from additions specific to overcoming OS X’s security systems, it wasn’t even modified significantly, using virtually the same code and the same internal filenames.
Linux.Encoder hit the headlines in November last year as the first Linux-based ransomware and allegedly held to ransom several hundred web servers. Bitdefender was able to reverse-engineer the encryption, avoiding the malware paying off for its developers. They did this by locating an older version of the malware that contained bugs and therefore revealed its encryption key.
This gives a clue as to what might’ve happened if KeRanger hadn’t been spotted by Palo Alto Networks or Apple and had actually infected the 6,500 Macs the Transmission update was installed on – Bitdefender might have been able to figure out the encryption and, as in the case of Linux.Encoder, release a free tool that avoided any need to hand over a ransom fee.
Bitdefender speculates that the hacker team behind KeRanger may be the same as that behind Linux.Encoder. Alternatively, the Linux.Encoder team may have sold their code to those behind KeRanger.