KeRanger ransomware attacks Mac users

Anthony Caruana
7 March, 2016
View more articles fromthe author

Many Mac users tend to feel comfortable that the security threats Windows users face aren’t a part of their everyday experience. But, according to a report from Palo Alto Networks, a major enterprise security company, that may be about to change.

It has identified a form of ransomware, called KeRanger, that can affect Mac users.

What is ransomware?

Ransomware is software that encrypts the contents of your computer. The only way to recover access to your data is to either pay the malware distributor a ransom, usually using Bitcoin so the funds are untraceable, or by recovering your data from the last known good backup.

How do I get infected by ransomware?

Typically, ransomware is introduced to a computer through the actions of a user who inadvertently downloads and installs the malware. This can happen by opening an infected file attachment or being fooled or coerced into installing the software.

How does KeRanger get on your Mac?

The malware developers who are distributing KeRanger managed to infect the popular BitTorrent client, Transmission, late last week. (Note: I’m not linking to the Transmission site in this story, so no one goes there from here and downloads the infected program.)

Anyone who downloaded and installed Transmission late last week is likely to have installed the ransomware, putting their data at risk.

There’s no word yet on how the attackers were able to breach the security of Transmission’s developers and insert their malicious payload onto the Transmission download site.

What does KeRanger do?

It’s important to note KeRanger takes about three days from the time of infection until it detonates and encrypts your files.

It starts by encrypting particular data files before asking users to pay a one bitcoin ransom. This is worth around $500 (US$400)

Also, it’s understood KeRanger also attempts to encrypt Time Machine backups.

The developers of KeRanger managed to use a valid Mac app development certificate. Unlike many applications from third parties, this allowed the tainted versions of Transmission to bypass Apple’s Gatekeeper protection.

What’s next?

Apple has revoked the certificate used to install the tainted version of Transmission so, if you download a tainted version of Transmission, you won’t be able to install it unless you’ve either disabled Gatekeeper’s protection or choose to bypass it.

If you think you’ve downloaded and installed the infected version of Transmission, Palo Alto Research recommends that you

  1. Use Terminal or Finder to look for either /Applications/ General.rtf or /Volumes/Transmission/ General.rtf exist. If one of these exists, the Transmission application is infected should be deleted.
  2. Using ‘Activity Monitor’ to check if a process named ‘kernel_service’ is running. If it is, double click the process, choose the ‘Open Files and Ports’ and check whether there is a file name like ‘/Users/<username>/Library/kernel_service’. This is KeRanger’s main process. Terminate it with ‘Quit -> Force Quit’.
  3. Check whether the files ‘.kernel_pid’, ‘.kernel_time’, ‘.kernel_complete’ or ‘kernel_service’ exist in ~/Library directory. If so, you should delete them.

A final word

It’s hard to not get a little preachy here. BitTorrent clients are mainly used to access content that is not available through official means or in order to avoid paying for content distributed through legitimate channels.

While it was the BitTorrent client that was infected – and this is a timely reminder that even software developers can be breached– illegally distributed media and software is an easy mark for malware distributors.

KeRanger could, potentially, be injected into almost any file for distribution.

Chances are, it is now freely available to any cybercriminal who wants to make a few bucks.

Cybercrime is an industry and has a marketplace where malicious software is traded and sold. That means it could pop up almost anywhere from now on.


2 people were compelled to have their say. We encourage you to do the same..

  1. Jorg says:

    A question out of curiosity: If I have a network monitoring tool like Little Snitch installed, would I be alerted to attempts by KeRanger to coo next to a remote Tor server?

  2. Macworld Australia Staff says:

    Quite possibly – I haven’t tried that but it is possible you could see traffic from KeRanger to an unexpected destination.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us