KeRanger: Ransomware-as-a-service attacking Macs

First discovered in 2016, KeRanger - also known as OSX.KeRanger.A - is ransomware that was designed specifically for the macOS. Most ransomware threats are created for Windows devices, making this “ransomware-as-a-service” attack fairly unique, although it certainly won’t be the last that aims to steal data and money from Mac users.

Prior to the discovery of KeRanger by Palo Alto Networks, an attempt to create ransomware for macOS was known as FileCoder. Kaspersky Lab found that one in 2014, although it was incomplete and incapable of causing much damage. The following year, Brazilian researchers created a proof of concept ransomware, known as Mabouia. Again, this couldn't do much damage; however, a month later, the first working version of ransomware for Mac was released into the wild.

What is KeRanger and what does it do?

KeRanger was transmitted through a popular BitTorrent client installer for macOS known as Transmission. The creators of this virus hacked the Transmission website, replacing the legitimate installer with a close duplicate, hiding the KeRanger ransomware.

The malicious Transmission installer was still signed with a verifiable Mac app development certificate, which meant it could bypass Apple’s Gatekeeper protection. It also acts and looks perfectly legitimate, therefore not raising any suspicions when infected Mac users downloaded the ransomware. Although the developers ID isn’t the same as the one used by the Transmission developers. The ID came from a Turkish firm, signed with this ID: Z7276PX673.

Once installed, KeRanger waits three days before transmitting to the command and control (C2) servers via the Tor network. Now this activates KeRanger, which starts encrypting files and folders, including any connected Time Machine backups. If your backups are encrypted, it becomes even more difficult to restore your Mac to how it was before the attack, in an attempt to force people to pay the ransom.

To unlock the files, those behind this attack were asking for payment of one Bitcoin, which at the time it was discovered, Bitcoin was valued at $400. Unlike some ransomware attacks, the creators do send the encryption key to unlock the encrypted files. However, even when this is done, the ransomware is still active on your Mac and could pose an ongoing security threat.

Removing it is the only way to ensure you aren't infected in the future, or that the ransomware is used as a backdoor for other malware and malicious viruses.


How to remove KeRanger from your Mac 

You can get rid of KeRanger with the help of a malware removal app like CleanMyMac X. It is a powerful Mac guardian, keeping your Mac safe from thousands of threats, including adware, spyware, trojans, worms, and more. When it comes to unwanted ransomware, here is how you use it to restore your Mac to order:

  1. Download CleanMyMac X.
  2. Click on the Malware Removal tab.
  3. Click Scan to search for KeRanger and any other infections, spyware, adware.
  4. CleanMyMac X will show you what your Mac is infected with.
  5. Click Remove and they will vanish for good.
Malware removal module of CleanMyMacX

KeRanger is not an easy problem to remove. Manually, once your files are unlocked, it can take some time to find and delete. Paying the ransom is never advisable. So, to make sure that your Mac is safe, use the dedicated malware removal tools, like CleanMyMac X. With its help, you cannot just neutralize malware threats, but also free up space, manage your applications, and speed up the system. Its all-in-one tool for complete Mac care. 

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.