How to Remove KeRanger Ransomware from Your Mac
Since yesterday, Apple Mac users have been hit by a first ever fully functional ransomware called KeRanger. KeRanger spreads through a infected version of the Transmission BitTorrent client for Mac.
Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines. The ransomware then asks victims to pay ransom in bitcoins to get an electronic key so they can decrypt the encrypted data.
Windows run PCs have normally been the target of ransomware authors but this is the first time that ransomware is targeting the Apple’s closed OS X operating system. Palo Alto Threat Intelligence Director Ryan Olson said the “KeRanger” malware, which appeared on Friday, was the first functioning ransomware attacking Apple’s Mac computers.
Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon. When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware.
While Apple has said that it has revoked the certificate which allowed KeRanger to install over Macs, those of you who want to check if they are infected with this ransomware follow the process below.
Scanning and removing KeRanger ransomware from your Mac
- Step 1: Search your drive for the following files (you can use the Terminal or the Finder app): /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf.
If any of these two shows up in your search results, it means that you installed an infected version of the Transmission client, and you should delete this version of Transmission as soon as possible.
- Step 2: Use the OS X Activity Monitor to check if you have a process running called “kernel_service.” If you do, don’t panic, there might be other apps that could start this process as well.
To make sure, double-click the process and choose the “Open Files and Ports” tab in the window that appears. If there’s a file named “/Users//Library/kernel_service”, like in the picture below, then KeRanger is active and running on your system. Users should select “Quit -> Force Quit” to stop the process.
- Step 3: Users should also check the ~/Library directory for the following files (and delete them): .kernel_pid, .kernel_time, .kernel_complete or kernel_service.
The above process only works if you catch KeRanger before it executes. Once it has executed itself, the ransomware will encrypt all your files with a strong encryption algorithm. This algorithm can’t be cracked.
The only way out is to erase your hardrive and restore backup from iCloud. If you don’t have backups, then currently your only option is to pay the ransomware fee.
An Apple representative said the company had taken steps over the weekend to prevent further infections by revoking a digital certificate certificate that was used to bypass GateKeeper, and by adding the ransomware’s signature to XProtect, Mac’s built-in anti-malware toolkit. The representative declined to provide other details.
Transmission has also removed the malicious version of its software from its website. On Sunday it released a version that its website said automatically removes the ransomware from infected Macs.
The website advised Transmission users to immediately install the new update, version 2.92, if they suspected they might be infected.
Palo Alto said on its blog that KeRanger is programmed to stay quiet for three days after infecting a computer, then connect to the attacker’s server and start encrypting files so they cannot be accessed.
After encryption is completed, KeRanger demands a ransom of 1 bitcoin, or about $400, the blog said.
Olson, the Palo Alto threat intelligence director, said that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission’s site.