This is what happens when your computer gets infected with ransomware

When attackers lock down your PC to extort you for money, this is what happens.

By - March 10, 2016 Share on LinkedIn

The first ransomware targeting Apple’s Mac computers running OS X recently infected the installer for Transmission, a cross-platform BitTorrent client.

Ransomware is nothing new, with infections reported on Windows machines, Linux servers, and Android smartphones.

Attackers use many methods to get their malicious software onto the devices of unsuspecting users.

These include e-mail trojans that exploit Microsoft Word macros, support scams, and compromising the website of an app like Transmission to replace the legitimate installer with one infected with ransomware.

YouTuber Rogueamp has published numerous videos showing what happens when ransomware takes over your machine.

Step-by-step breakdowns of two of his videos are shown below, beginning with the new KeRanger ransomware for OS X.

KeRanger for OS X

This ransomware infected the installer of Transmission 2.90 for OS X, as reported by Palo Alto Networks.

While updated OS X installations should no longer be vulnerable to KeRanger, Rogueamp’s demonstrations are conducted within a virtual machine. Don’t try this at home.

The infection begins after you install and run Transmission 2.90.

KeRanger install and run Transmission

Transmission 2.90 contains General.rtf, which looks like a document, but is actually KeRanger’s executable.

KeRanger General.rtf payload in package

When KeRanger executes, it encrypts all your documents and media files.

KeRanger files encrypted

KeRanger places a notice in each folder where it has encrypted files.

KeRanger readme with details on how and where to pay

It directs you to go to a URL, where you must log in with a key the attackers provide.

KeRanger log into Bitcoin payment system with key provided

You must pay the ransom of 1 Bitcoin (R6,300) to the wallet they specify to get the key you need to decrypt your files.

KeRanger payment page to get decryption key

Locky for Windows

Ransomware like KeRanger and Locky all work on the same principle: encrypt the victim’s files, and extort money from them in the form of Bitcoin.

Unlike KeRanger, Locky was distributed through a malicious Word macro in an e-mail with a fake invoice. After opening the invoice and enabling macros, it downloads and runs the ransomware from a server on the Internet.

As before, Rogueamp’s demonstration is conducted within a virtual machine.

After Locky runs, it encrypts all your files and then displays this notice.

Locky ransom note

 Locky can encrypt unmapped network shares.

Locky finds and encrypts files in unmapped network shares

As with all ransomware, it directs you to a page where you can pay to get a key to unlock your files.

Locky Decryptor page

Watch Rogueamp’s ransomware demonstrations below

Apple users targeted in ransomware attack

Ransomware – what it is, and how to protect your files from it

Android porn app ransomware warning

Linux encryption ransomware hacked – how to get your files back

Don’t give in to ransomware – prepare your system

Share your thoughts

Join the conversation

Connect with Us



Do you prefer shopping online, or going to a physical store?

View Results

Loading ... Loading ...

More News

Afrihost Mobile network emergency maintenance

Afrihost mobile on phone

Afrihost will conduct emergency maintenance on its mobile network from midnight.

Telkom LTE users consume more data than ADSL and fibre combined


These graphs show how fast mobile data consumption on Telkom’s LTE network is growing compared to its fixed broadband networks.

Saving South Africa’s Internet from the FPB

Computer internet censorship

The Film and Publications Amendment Bill is set to be finalised on 25 October, with Parliament’s Portfolio Committee on Communications to decide if the bill should be approved.

Samsung’s rush to recall the Galaxy Note 7 is what killed it

Samsung Galaxy Note 7

In its rush to save the Galaxy Note 7, Samsung made a fatal mistake, The Wall Street Journal reported.

Free MyBroadband Newsletter