KeRanger: The First Mac Ransomware in the Wild Discovered

Palo Alto Networks Discovers Ransomware Targeting Macs

Computer motherboard locked up with chain
Harry Kikstra | Getting Images

Last Friday (March 4, 2016), Palo Alto Networks, a well-known security firm, posted its discovery of KeRanger ransomware infecting Transmission, the popular Mac BitTorrent client. The actual malware was found within the installer for Transmission version 2.90.

The Transmission website quickly took down the infected installer and is urging anyone using Transmission 2.90 to update to version 2.92, which has been verified by Transmission to be free of KeRanger.

Transmission hasn't discussed how the infected installer was able to be hosted on their website, nor has Palo Alto Networks been able to determine how the Transmission site was compromised.

KeRanger Ransomware

The KeRanger ransomware works as most ransomware does, by encrypting files on your Mac, and then demanding payment; in this case, in the form of a bitcoin (currently valued around $400) to provide you with the encryption key to recover your files.

The KeRanger ransomware is installed by the compromised Transmission installer. The installer makes use of a valid Mac app developer certificate, allowing the installation of the ransomware to fly past OS X’s Gatekeeper technology, which prevents the installation of malware on the Mac.

Once installed, KeRanger sets up communication with a remote server on the Tor network. It then goes to sleep for three days. Once it awakens, KeRanger receives the encryption key from the remote server and proceeds to encrypt files on the infected Mac.

The files encrypted include those in the /Users folder, which results in most user files on the infected Mac becoming encrypted and not usable. In addition, Palo Alto Networks reports that the /Volumes folder, which contains the mount point for all attached storage devices, both local and on your network, is also a target.

At this time, there's mixed information regarding Time Machine backups being encrypted by KeRanger, but if the /Volumes folder is targeted, I see no reason why a Time Machine drive wouldn't be encrypted. My guess is that KeRanger is such a new piece of ransomware that the mixed reports about Time Machine are simply a bug in the ransomware code; sometimes it works, and sometimes it doesn’t.

Apple Reacts

Palo Alto Networks reported the KeRanger ransomware to both Apple and Transmission. Both reacted swiftly; Apple revoked the Mac app developer certificate used by the app, thus allowing Gatekeeper to stop further installations of the current version of KeRanger. Apple also updated XProject signatures, allowing the OS X malware prevention system to recognize KeRanger and prevent installation, even if GateKeeper is disabled, or is configured for a low-security setting.

Transmission removed Transmission 2.90 from their website and quickly reissued a clean version of Transmission, with a version number of 2.92. We can also assume they're looking into how their website was compromised, and taking measures to prevent it from happening again.

How to Remove KeRanger

Remember, downloading and installing the infected version of the Transmission app is currently the only way to acquire KeRanger.

If you don’t use Transmission, you currently don't need to worry about KeRanger.

As long as KeRanger hasn't encrypted your Mac's files yet, you have time to remove the app and prevent the encryption from occurring. If your Mac’s files are already encrypted, there's not much you can do except hope your backups haven't been encrypted as well. This points out a very good reason for having a backup drive that isn't always connected to your Mac. As an example, I use Carbon Copy Cloner to make a weekly clone of my Mac’s data. The drive housing that clone isn't mounted on my Mac until it's needed for the cloning process.

If I had run into a ransomware situation, I could have recovered by restoring from the weekly clone. The only penalty for using the weekly clone is having files that could be up to one week out of date, but that's much better than paying some nefarious cretin a ransom.

If you find yourself in the unfortunate situation of KeRanger having already sprung its trap, I know of no way out other than either paying the ransom or reloading OS X and starting over with a clean install.

Remove Transmission

In the Finder, navigate to /Applications.

Find the Transmission app, and then right-click its icon.

From the pop-up menu, select Show Package Contents.

In the Finder window that opens, navigate to /Contents/Resources/.

Look for a file labeled General.rtf.

If the General.rtf file is present, you have an infected version of Transmission installed. If the Transmission app is running, quit the app, drag it to the trash, and then empty the trash.

Remove KeRanger

Launch Activity Monitor, located at /Applications/Utilities.

In Activity Monitor, select the CPU tab.

In Activity Monitor's search field, enter the following:

kernel_service

and then press return.

If the service exists, it will be listed in Activity Monitor’s window.

If present, double-click the process name in Activity Monitor.

In the window that opens, click the Open Files and Ports button.

Make a note of the kernel_service pathname; it will likely be something like:

/users/homefoldername/Library/kernel_service

Select the file, and then click the Quit button.

Repeat the above for the following service names:

kernel_time

kernel_complete

Although you quit the services within Activity Monitor, you also need to delete the files from your Mac. To do so, use the file pathnames you made note of to navigate to the kernel_service, kernel_time, and kernel_complete files. (Note: You may not have all of these files present on your Mac.)

Since the files you need to delete are located in your home folder's Library folder, you'll need to make this special folder visible. You can find instructions for how to do this in the OS X Is Hiding Your Library Folder article.

Once you have access to the Library folder, delete the above-mentioned files by dragging them to the trash, then right-clicking the trash icon, and selecting Empty Trash.

Was this page helpful?