How to remove the Mac KeRanger ransomware

Ransomware is a growing problem, with businesses and individuals increasingly having their data encrypted and held to ransom. As with so many forms of malware, it has been PC users that have borne the brunt of attacks, but over the weekend it was Mac owners that were targeted by the KeRanger ransomware.

The malicious software first appeared on Friday and is said to be the first fully-functional example of ransomware aimed at Apple devices. KeRanger was found to be installed alongside the Transmission BitTorrent client, and while Apple has used its Gatekeeper security system to prevent further infections, if you have installed Transmission 2.90 there are steps you need to take to clean up your system.

As with other examples of ransomware, KeRanger encrypts files on infected systems and demands a ransom be paid to decrypt them - in this instance the ransom was 1 Bitcoin. KeRanger was able to bypass Apple's Gatekeeper as it was signed with a valid Mac app development certificate. Palo Alto explains how it works:

If a user installs the infected apps, an embedded executable file is run on the system. KeRanger then waits for three days before connecting with command and control (C2) servers over the Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the system. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to a specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.

While Apple has taken steps to prevent further infections, this will do nothing to protect systems that have already been hit with the malware. Security experts at Palo Alto suggest the following steps for removing KeRanger:

  • Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
  • Using Activity Monitor preinstalled in OS X, check whether any process named "kernel_service" is running. If so, double check the process, choose the "Open Files and Ports" and check whether there is a file name like "/Users//Library/kernel_service". If so, the process is KeRanger's main process. We suggest terminating it with "Quit -> Force Quit".
  • After these steps, we also recommend users check whether the files ".kernel_pid", ".kernel_time", ".kernel_complete" or "kernel_service" existing in ~/Library directory. If so, you should delete them.

Alternatively you can install Transmission 2.92 which should automatically remove KeRanger.

Photo credit: Ton Snoei / Shutterstock