KeRanger virus is a new type of Mac OS X (Apple) ransomware discovered in March 2015. The KeRanger virus is known to be the first real Mac ransomware that can encrypt personal files on a computer it infects and hold them for ransom.
The KeRanger virus was first spotted in compromised versions of the Transmission app (a BitTorrent client). According to a source the infected Transmission app was distributed from the official Transmission website; However, the app was distributed with a different code signature than the normal one which was previously used to sign or certify the Transmission app. This suggests that the Transmission app had been tampered and compromised by a third-party attacker.
The copy of the Transmission app that was compromised includes a deceptive executable file named General.rtf. The General.rtf file pretends to be a rich-text file (rtf) but is actually a Mach-O format executable file packed with UPX 3.91. Once the Transmission app starts, the General.rtf file is copied to another file named kernel_service, which can be located in the user Library folder. By default, this folder is set to hidden on recent Mac OS X versions.
The kernel_service process will run in the background and it will produce additional files named .kernel_pid and .kernel_time in the hidden user Library folder. One of the files contains a time-stamp, which is used by KeRanger ransomware to identify when 3 days have succeeded.
Once 3 days have gone by, the KeRanger virus will encrypt files on a Mac computer. KeRanger ransomware will encrypt everything in the /Users folder and other files that append a common document extension, rush as rt.f, and so on. It will also encrypt files found in the /Volumes folder which might affect files connected to a Mac computer by an external hard drive, server, or other storage device. This means that backups (including Time Machine backups stored on a Time Capsule) of the computer may become encrypted by the virus.
When files have been encrypted by the KeRanger virus the ransomware will leave multiple files named “README_FOR_DECRYPT.txt” in each folder it encrypts. This file contains a note and instructions on how to pay a ransom in order to obtain a decryption key to decrypt files.
Apple has added detection of this malware to XProtect and terminated the developer certificate used to sign the compromised version of the Transmission app. This is a good thing and it means that new infections will not be able to spread without an update from the malware authors.
If you have recently downloaded the Transmission app for your Mac device from the official website after 11:00am PST, March 4, 2016 and before 7:00pm PST, March 5, 2016, your Mac might be been infected with the KeRanger virus.
KeRanger Virus (Removal Instructions)
These steps will help you locate and remove KeRanger files from your Mac computer.
- Start your Mac computer and open Terminal or Finder. Search for these files in these paths and uninstall Transmission app if found: /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist.
- Using the “Activity Monitor” preinstalled in Mac operating systems look to see if a process named “kernel_service” is running. If you can locate the process, double check the process, select “Open Files and Ports” and check whether there is a file name similar to “/Users/<username>/Library/kernel_service.” If you find this file terminate it with “Quit -> Force Quit”. This is the main file for the ransomware.
- You should also check to see if any of these files are found on your Mac: “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If you find them, delete them.
It is important to protect your machine against future threats. A great program that can detect and remove KeRanger ransomware from your computer is Malwarebytes Anti-malware for Mac.