Hacker News new | past | comments | ask | show | jobs | submit login

"It will then sleep for three days. Note that, in a different sample of KeRanger we discovered, the malware also sleeps for three days, but also makes requests to the C2 server every five minutes."

It's fascinating!




Isn't it possible to fire a takedown notice to that server? I mean KeRanger committed a felony and Amazon (assuming you mean Amazon's EC2 server) might react quickly if they realize what has happened. It might save a lot of computers from getting destroyed. As long as the server is somewhere in the Western world, it should not be a problem.


It's a "Command-and-Control" server (C&C or C2).

https://en.wikipedia.org/wiki/Command_and_control_%28malware...

I just learned that too. For me, C&C reminds me "Command and Conqueer" (the game).

https://en.wikipedia.org/wiki/Command_%26_Conquer


Thanks, I just realized it after reading Claud Xiao and Jin Chen's analysis, too. Apparently, this ransomware uses Tor to hide its origin.

Analysis: http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-...


I liked the "We have ticket system." (in the screenshot of "README_TO_DECRYPT.txt").

They ask (only) 1 BtC as a ransom.


And they decrypt one file for free, to prove they can do it. Nice touch.

Screenshots of the web UI:

https://twitter.com/moyix/status/706577507965870080/photo/1


The server isn't on EC2, it's hosted on Tor. The malware uses an HTTP-to-TOR gateway service (onion.nu and onion.link) to pull down the encryption key and README file from one of three different hidden services. In theory you could try to get the gateways to block the connections, but I'm not sure they're likely to be cooperative.


Amazon's abuse teamight help, but the DMCA would not relevant unless you can show copyright infringement in this.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: