Files compromised by ransomware Trojan for OS X can be decrypted by Doctor Web

seems like a good news for those who kena this ransomware. but on a side note, i wonder why Doctor Web can provide the remedy?

March 11, 2016

At the beginning of March, numerous mass media, websites, and blogs announced about the emergence of the first ever ransomware for Mac computers. Doctor Web specialists examined this malicious program, which was named <a href=" vms.drweb.com/search/?q=Mac.Trojan.KeRanger.2 ">Mac.Trojan.KeRanger.2</a>, and they have developed a method that can help to decrypt files affected by this Trojan.

<a href=" vms.drweb.com/search/?q=Mac.Trojan.KeRanger.2 ">Mac.Trojan.KeRanger.2</a>?˜was first detected in a compromised version of the installer for a popular OS X torrent client that was distributed as a DMG file. The malicious application was signed with a valid Mac app development certificate. Thus, this program successfully bypassed AppleŸ??s Gatekeeper protection.

Once <a href=" vms.drweb.com/search/?q=Mac.Trojan.KeRanger.2 ">Mac.Trojan.KeRanger.2</a> is installed on the infected computer, it waits for three days before connecting to the C&amp;C server over the TOR network. Then it starts the encryption procedure. First, the Trojan encrypts all files that it can access with the help of either user or root privileges.?˜<a href=" vms.drweb.com/search/?q=Mac.Trojan.KeRanger.2 ">Mac.Trojan.KeRanger.2</a> then tries to encrypt the contents of the /Volumes logical partitionŸ??that is, files stored on a hard drive and on mounted logical partitions. In that case, files are encrypted according to the TrojanŸ??s certain list that contains 313 different file types including text files and images. The Trojan downloads an encryption key and a file with cybercriminalsŸ?? demands from the server. This ransomware program can be recognized by the fact that it appends all encrypted files with the Ÿ??.encryptedŸ? extension and plants the Ÿ??README_FOR_DECRYPT.txtŸ? file into all directories.

Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware.

If you have fallen victim to <a href=" vms.drweb.com/search/?q=Mac.Trojan.KeRanger.2 ">Mac.Trojan.KeRanger.2</a>, follow the guidance below:

Notify the police.

Do not, under any circumstances, attempt to change the contents of directories with encrypted files.

Do not delete any files from the computer.

Do not try to restore the encrypted data by yourself.

Contact <a href=" support.drweb.com/new/free_unlocker/?key..._decode=1&lng=en ">Doctor Web technical support</a> (free decryption service is only available to users who have purchased commercial licenses for Dr.Web products).

Attach a file encrypted by the Trojan to the request ticket.

Wait for a response from technical support. Due to a large number of requests, it may take some time.

Once again, we would like to point out that free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. For information how to submit a decryption request, please follow this <a href=" legal.drweb.com/encoder/?lng=en ">link</a>. Doctor Web cannot guarantee that all your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.

news.drweb.com/show/?i=9877&c=5&lng=en&p=0