How to Remove KeRanger Ransomware from Your Mac

Share this…

ome users might be able to remove KeRanger before it starts its encryption process and locks up all their files. Yesterday, the first ever fully functional ransomware family targeting Maccomputers has come to light, managing to infect users via a tainted version of the Transmission BitTorrent client for Mac.

The infection was possible because the crooks behind this ransomware managed to hack the Transmission project’s website and replaced the legitimate Mac client with one that also contained the KeRanger ransomware.

The crooks did try to hide their tracks and configured the ransomware to start its encryption process three days after the Transmission client was installed.

Palo Alto Networks, the security vendor that discovered the ransomware, says the Transmission website delivered a malicious Transmission client between 11:00 AM PST, March 4, 2016 and before 7:00 PM PST, March 5, 2016.

This means that most people can still remove the ransomware before it goes into its encryption stage and locks up their files. If you recently downloaded Transmission for Mac, version 2.90, you should take the following steps, as detailed by Palo Alto’s staff.

Scanning and removing the ransomware

Step 1: Search your drive for the following files (you can use the Terminal or the Finder app): /Applications/ General.rtf or /Volumes/Transmission/ General.rtf.

If any of these two shows up in your search results, it means that you installed an infected version of the Transmission client, and you should delete this version of Transmission as soon as possible.

Step 2: Use the OS X Activity Monitor to check if you have a process running called “kernel_service.” If you do, don’t panic, there might be other apps that could start this process as well.

To make sure, double-click the process and choose the “Open Files and Ports” tab in the window that appears. If there’s a file named “/Users//Library/kernel_service”, like in the picture below, then KeRanger is active and running on your system. Users should select “Quit -> Force Quit” to stop the process.

The malicious “kernel_service” process

The malicious “kernel_service” process

Step 3: Users should also check the ~/Library directory for the following files (and delete them): .kernel_pid, .kernel_time, .kernel_complete or kernel_service.

Users that had their files encrypted

Unfortunately, if you haven’t been so lucky to catch KeRanger before it executes, the ransomware will encrypt all your files with a strong encryption algorithm. This algorithm can’t be cracked.

Users that have backups of their data should go through the steps mentioned above, to remove the ransomware, and then they should restore their Mac’s files from an older backup.

If you don’t have backups, then currently your only option is to pay the ransomware fee. The good thing is that Apple has already taken the necessary steps to neutralize this threat from infecting new users, by revoking the developer certificate that was used to bypass GateKeeper, and by adding the ransomware’s signature to XProtect, Mac’s built-in anti-malware toolkit.

Users that attempt to run the infected Transmission Mac client v2.90 should see a visible warning that advises them to abort the operation.

You can also use Malwarebytes Anti-malware to scan your system for OSX.Ransomware.Keranger.

OSX.Ransomware.Keranger infection as detected by Malwarebytes

OSX.Ransomware.Keranger infection as detected by Malwarebytes