img HowTosOSX

Remove KeRanger ransomware - Transmission 2.9 malware from Mac OS X

Remove KeRanger, the first known ransomware crafted for Mac OS X, learn how to avoid this assault and restore the files encrypted by this infection.

The worst nightmare of the Mac user community has come true as the first OS X ransomware campaign commenced last weekend. In fact, a few months ago a JavaScript based crypto plague called Ransom32 emerged, which caused serious concerns in the expert circles because it could potentially run on platforms other than Windows. It turned out these predictions weren’t too far off the actual state of things. The recently discovered infection called KeRanger is reportedly propagating over a mutilated downloader of the Transmission BitTorrent Client. The success of malicious payload serving is backed by the popularity of the latter application with Mac customers. The version of Transmission that’s unsafe is 2.90. At this point, the developer has put up a warning on their website with a recommendation to urgently upgrade to 2.92, which is a malware-free edition.

Official site of the Transmission app now contains a warning message

Obviously, the aforementioned vendor’s site had suffered a hack incident therefore the perpetrators were able to covertly substitute the original DMG file installer with an altered one carrying the harmful drive-by. The reason why the Gatekeeper solution failed to block these downloads is because the app featured a valid developer certificate, so the defenses simply didn’t identify the hazard on the initial stage. Thankfully, the cert has now been blacklisted, so Gatekeeper is flagging the corrupt setups.

Once the KeRanger ransomware ends up inside a Mac, it adds an executable disguised as ‘General.rtf’ file. When this object is automatically launched, it harvests machine-specific details and transmits these identifiers to the Command and Control server via Tor. Then, the virus scans the hard drive and encrypts files with widespread extensions, including documents, images, audio, video, certificates, emails, archives, and source code entities. Every ciphered item is appended with the .encrypted string at the end of the filename, so a ‘flower.jpg’ file will look like this – ‘flower.jpg.encrypted’. This part of the attack being completed, the victim will see data recovery instructions in a file named README_FOR_DECRYPT.txt.

README_FOR_DECRYPT.txt ransom instructions

According to the ransom notes, the infected Mac user needs to submit 1 BTC (about $400) in order to be able to download the decrypt pack. The document also contains the .onion address and the person’s unique ID for authentication with the malign service. The Tor website enables the victim to decrypt 1 file for free and provides the option to pay the ransom, send a ticket and read some FAQs. If the user chooses not to redeem their personal data with the deadline of 72 hours, the amount for buyout will most likely increase.

KeRanger leverages the RSA-2048 cryptographic algorithm to encode files. This is an asymmetric cipher, where the public key is used for encryption and the private key – for decryption. The latter high-entropy chunk of information stays on the extortionists’ remote server throughout the onslaught, so it’s not feasible to restore anything by brute-forcing or similar techniques. Doing the buyout, on the other hand, is a terrible idea. So what should the contaminated Mac users do? First and foremost, uninstall the KeRanger ransomware and try to use a couple of tips and tricks to reinstate the locked files.

KeRanger ransomware manual removal for Mac

The steps listed below will walk you through the removal of this application. Be sure to follow the instructions in the order specified.

• Open up the Utilities folder as shown below

Open up the Utilities

• Locate the Activity Monitor icon on the screen and double-click on it

Locate the Activity Monitor

• Under Activity Monitor,find suspicious entries General.rtf, kernel_service, kernel_pid, kernel_time, kernel_complete), select them and click Quit Process for each.

Quit MacDefender process

• A dialog should pop up, asking if you are sure you would like to quit the executable. Select the Force Quit option

• Click the Go button again, but this time select Applications on the list. Find the Transmission entry on the interface, right-click on it and select Move to Trash. If user password is required, enter it. After the cleanup is performed all the way, you can reinstall the safe version of the app, that is, 2.92 and onward

• Now go to Apple Menu and pick the System Preferences option

Pick the System Preferences

• Select Accounts and click the Login Items button. Mac OS will come up with the list of the items that launch when the box is started up. Locate suspicious entries there and click on the "-" button for those

Remove MacDefender from Login Items


OSX.KeRanger virus automatic removal for Mac

p>1. Download and install MacKeeper application (read review). In addition to security features, this tool provides a vast arsenal of Mac optimization capabilities
Download MacKeeper

2. Get your Mac checked for malicious software by going to System Scan and starting the scan procedure

MacKeeper: Analysis

3. When the app comes up with a list of detected security issues, get those fixed by clicking the respective button. KeRanger ransomware should now be completely gone.

Recover files encrypted by KeRanger ransomware

Since data decryption is not possible unless you pay the ransom, it’s recommended to restore files from an offline or cloud backup, or utilize a workaround. If there are backup copies on an external resource, be sure to uninstall KeRanger virus before downloading them otherwise the infection will encrypt those again. In case you don’t have backups, do the following:

• On the menu bar, click the Time Machine icon and select Enter Time Machineoption

Enter Time Machine

• When the utility is running, open the directory that holds the files to be restored. Use the right-hand arrow toggles to go back to the point when the needed file or files were unaffected

Time Machine

• Highlight the file of interest and then click the Restore button down at the bottom

Time Machine Restore option

• The file should now be accessible. One important thing to remember is that KeRanger virus should be removed prior to recovery with Time Machine, because the ransomware will most likely encode the restored data again.