KeRanger Ransomware Installed by Transmission (Removal)

The encrypted files may not be the only damage done to you. parasite may still be hiding on your PC. To determine whether you've been infected with ransomware, we recommend downloading SpyHunter.

Download SpyHunter Anti-Malware

More information on SpyHunter, steps to uninstallEULAThreat Assessment Criteria, and Privacy Policy.

This page aims to help remove the KeRanger ransomware who were infected from the Transmission torrent . These KeRanger removal instructions work for all devices that operate under OS X. This ransomware was first spotted hidden inside the installed of a download client Transmission 2.90.

For years now ransomware viruses have been the bane of the PC industry, while Apple’s operating system has kept under the radar. No more. As of 04.03.2016 the first ransomware for OS X has been released and given the codename KeRanger by the people who first encountered it. Mac users will find themselves in unfamiliar waters when it comes to dealing with ransomware viruses, so we have written this article to help people remove the KeRanger ransomware from their machines.

Infection method – Is my device in danger?

Currently the only confirmed installation method used by this ransomware is through the installer of a OS X based torrent software known as Transmission, but it is also quite possible that this ransomware has been hidden in other applications, so we urge our readers to be careful when downloading obscure software on their devices.

On 11:00am PST, March 4, 2016 the downloadable installer for Transmission v.2.90 was replaced by a modified copy that can carry the ransomware past Xprotect. This was possible, because the modified executable was actually signed with an Apple approved certificate. This certificate was originally issued to a Turkish company with ID Z7276PX673. Whether this company was responsible for the creation of the ransomware or had the certificate stolen from them is currently unknown. What we know is that security experts analyzed he certificate information they discovered that the certificate was created and digitally signed earlier on the same day.

The infected installer was taken down on 7:00pm PST, March 5, 2016 and its certificate was revoked. XProtect signatures have also been updated by Apple for all devices running the Mac OS. If you are to encounter a file infected by the same virus your system will immediately notify you of the danger.

  • Currently the people in the biggest danger are those who downloaded the modified executable from Transmission’s official download page between 11:00am PST, March 4, 2016 and 7:00pm PST, March 5, 2016. If you are one of those people, then your device is definitely at risk. Otherwise please keep your OS X updated and don’t overlook any warnings that it may issue!

Your device is at risk – now what?

Our first immediate advice is to turn off any form of Wireless or Cable internet access to your device. Use another device for which you are sure that it is safe to read this guide and other information. The reason behind this is hidden in KeRanger’s method of operation.

When KeRanger is installed on a device it will immediately create three files in the kernel Library directory. One of these files is a timestamp that will make a note for the current time and start a three days countdown period. Another of the file is responsible for the virus connecting to a remote host on the Tor network. This file contains code that will attempt to connect the host at regular intervals – usually five minutes and for some versions of the ransomware this can begin even before the 3 day countdown period!

KeRanger’s link to the C2 server is actually the trigger that will release this ransomware bomb into the system. The ransomware will download two lines of coded data, which contain the public key that will be used for the encryption, as well as the data needed to render the ransom demand afterwards. KeRanger will not start encrypting your device without that data and this is the reason why you want to deny it access to the internet.

Decrypting files already encrypted by KeRanger is impossible on any apple – currently no working method exist for that. It is much better to catch the ransomware before it can encrypt your files. If your files are already encrypted then your options are to either use a backup copy (if you have) or pay over 400$ in ransom in the form untraceable bit coins.

The worst is yet to come

Having ransomware that can target Mac OS is shocking news on its own, but security researchers have uncovered even more troubling information by poking at the virus code. There are two new functions under development and thankfully they have not been completed yet. Judging from the bits of code and the name of these functions they will be responsible for blocking the restoration of any files from backup. Should that happen all encrypted files will be at the hacker’s mercy and they may even start extorting people for even more money!

How to defend your OS X against KeRanger and other nasty malware

The one and only most important step is to keep your OS updated to the latest version at all times. Also, no security warnings should be ever ignored – they are there for a reason. If you believe that your device may have been exposed to the KeRanger ransomware (because you recently downloaded Transmission or other infected programs), then please proceed forward to our removal guide. We’ll help you to the best of our ability to locate all files that may be connected to the ransomware and delete them before they can do you any harm.


Name KeRanger
Type Ransomware
Danger Level High (This is the first fully functional ransomware for OS X and file recovery is impossible without backup)
Symptoms The ransomware will remain hidden for around 3 days when installed, but you may notice your Mac performing worse than usual while your files are getting encrypted.
Distribution Method The only documented method is through a torrent client for Mac called Transmission.
Detection Tool None so farSponsored

Remove KeRanger Ramsomware for Mac


1.1 Make sure that all your hidden files are visible. Here is how to use Mac Terminal to show hidden files:

Open Terminal (click Go > Utilities and double-click the Terminal app)

Now copy and paste both lines listed below into Terminal one at a time, and press Return after each line:

defaults write com.apple.finder AppleShowAllFiles YES

killall Finder


1.2 Open the file finder and go to the following three directories for the presence of a file called General.rtf

  1. /Applications/Transmission.app/Contents/Resources/
  2. /Volumes/Transmission/Transmission.app/Contents/Resources
  3. /Library/Kernel-service

If the file is present, then you have download an infected version of Transmission and you should immediately delete General.rtf


Transmission registry files

Transmission registry files

Use the file finder again to navigate to the ~/Library directory. When you are there look for the files called “.kernel_pid”, “.kernel_time” and “.kernel_complete

If these files are present immediately delete them! These files are created by the virus and they will encrypt your data if left unsupervised!


Kernal_service look up

Open the Activity Monitor of your OS X (comes pre-installed with all versions). Look at the processes that are currently running and check if a process called “kernel_service” is currently running.

If it is please double-click on it and select “Open Files and Ports”. Do you see a file called kernel_service located in the following path:

If you do you’ve found the main process that operates the ransomware and probably just in time! Terminate it by clicking on Quit->Force quit.


How to Decrypt files already encrypted by KeRanger

There is only one known way to remove this virus successfully – reversing your files to a time when they were not infected. Currently this can only be done from a back-up. If you have the Time Machine back-up service (or other) set up follow these instructions:

How to restore specific files
  1. You’ll need to enter the Time Machine from the TM menu  Time Machine icon, or alternatively find and click on TM in the Dock.
    Time Machine Back Up
  2. Look for the file encrypted files you want to restore
  • You will see a timeline on the edge of the screen that will help you remember when exactly they were backed up. Use the most recent copy that occurred BEFORE 04.03.2016.
  • There are Up and Down arrows displayed on your onscreen, make use of them to jump between times in which the window information changed. You can also use the search field to locate specific files.
  • You can also select a file, then place the Spacebar to preview it.

Click the Restore button whenever you are ready. Delete the encrypted copies of files once you are done restoring the original files.

If you have many files encrypted it might actually be a better idea to use the OS X Recovery function to restore your whole Mac to a previous date.

Using the OS X RECOVERY to restore everything

  1. First please make sure you backup disk is connected to your Mac device and that it is also turned on.
  2. Choose Apple menu > Restart. After your Mac restarts and you hear the startup tune simultaneously hold down the Command (⌘) and R keys. As soon as you see the Apple logo appear you may release the keys.
  3. Now select the option “Restore from a Time Machine Backup,” then click “Continue”
  4. Now you’ll need to select one of the following options: External backup disk, Time Capsule or Network backup Disk depending on the type of backup you’ve created.
  5. If you’ve set up a password for your backup it is now the time to input it before pressing Connect.
  6. You will now be able to look at the different timetables created when you backed up your data. Use the most recent copy that occurred before 11:00am PST, March 4, 2016.


What to do if you had not set a back-up option before the incident!

Time Machine is NOT automatically turned on as it requires an external drive to store the backup data. If you have not created a back-up option before the attack, then you are at the mercy of the virus. Consider your options carefully – the ransom demanded is 1BTC, which is around $400. Paying the ransom is currently the only way you can recover encrypted files, but you are by no means guaranteed to actually get them. If you decide to pay there is no way to get your money back if things go south.

Additionally, please consider that every dollar received by these criminals will encourage to build new and improved version of ransomware and you may be targeted by them again and again. Only consider paying this ransom if your files are that important to you.

Did we help? Found an alternative solution? Share your feedback with us so we can help other people in need!

Leave a Comment