First discovered in 2016, KeRanger — also known as OSX.KeRanger.A — is ransomware that was designed specifically for macOS. Most ransomware threats are created for Windows devices, making this “ransomware-as-a-service” attack fairly unique, although it certainly won’t be the last that aims to steal data and money from Mac users.

Before the discovery of KeRanger by Palo Alto Networks, an attempt to create ransomware for macOS was known as FileCoder. Spotted in 2014, it was incomplete and incapable of causing much damage. The following year, Brazilian researchers created a proof-of-concept ransomware known as Mabouia. Again, this couldn’t do much damage; however, a month later, the first working version of ransomware for Mac was released into the wild.


What is KeRanger and what does it do?

KeRanger was transmitted through a popular BitTorrent client installer for macOS known as Transmission. The creators of this virus hacked the Transmission website, replacing the legitimate installer with a close duplicate, hiding the KeRanger ransomware.

The malicious Transmission installer was still signed with a verifiable Mac app development certificate, which meant it could bypass Apple’s Gatekeeper protection. It also acts and looks perfectly legitimate, therefore not raising any suspicions when the users of an infected Mac download the ransomware. However, the developers’ ID isn’t the same as the one used by the Transmission developers. The ID came from a Turkish firm, signed with this ID: Z7276PX673.

Once installed, KeRanger waits for three days before transmitting to the command and control (C2) servers via the Tor network. At this point, it activates KeRanger, which starts encrypting files and folders, including any connected Time Machine backups. If your backups are encrypted, it becomes even more difficult to restore your Mac to how it was before the attack. It does so in an attempt to force people to pay the ransom.

To unlock the files, those behind this attack were asking for payment of one Bitcoin, which at the time it was discovered, Bitcoin was valued at $400. Unlike some ransomware attacks, the creators do send the encryption key to unlock the encrypted files. However, even when this is done, the ransomware is still active on your Mac and could pose an ongoing security threat.

Removing it is the only way to ensure you aren’t infected in the future or that the ransomware is used as a backdoor for other malware and malicious viruses.

how-reset-pram-smc

How to remove KeRanger from your Mac 

You can get rid of KeRanger with the help of a malware removal app like CleanMyMac X. It is a powerful Mac guardian, keeping your Mac safe from thousands of threats, including adware, spyware, trojans, worms, and more. When it comes to unwanted ransomware, here is how you use it to restore your Mac to order:

  1. Download CleanMyMac X for free.
  2. Click on the Malware Removal tab.
  3. Click Scan to search for KeRanger and any other infections, spyware, and adware.
  4. CleanMyMac X will show you what your Mac is infected with.
  5. Click Remove, and they will vanish for good.
Malware removal module of CleanMyMac


KeRanger is not an easy problem to remove. Manually, once your files are unlocked, it can take some time to find and delete. Paying the ransom is never advisable. So, to make sure that your Mac is safe, use dedicated malware removal tools like CleanMyMac X. With its help, you can not only neutralize malware threats but also free up space, manage your applications, and speed up the system. It’s an all-in-one tool for complete Mac care.