Protect Your Mac or Pay Up (OS X KeRanger)

Justin Pierce, MPS-CRM, CEH, CNDANASA Senior Cybersecurity Engineer
Dream not of today. ~ Jean-Luc Picard
This is a short article about OS X KeRanger, and what people can do to get rid of it.
Imagine this: You’re editing an important document in Pages that the boss needs to have by the end of the day. Things are going great, and the music that’s softly playing in the background seems to be streaming along perfectly with each of your brillant keystrokes. Becuase you’re a professional multitasker you have your favorite BitTorrent, Transmission, downloading a few shows for the evening, and before you can think about what happened in the last episode, something happens.

A file named ‘README_FOR_DECRYPT.TXT’ appears on your desktop stating that your files are encrypted with 2048-bit RSA encryption. You begin to giggle as you pull up Finder and navigate to your Documents folder to take a peek. Immediately you stop giggling, your background music screeches to a halt, and your mouth drops open. Every file appears to have an appended “.encrypted” extension attached to it. At this point your eyes begin to widen and you take the plunge and double-click a random document (maybe the one that you’re working on for the boss) and it opens to nothing but gibberish. 

What do you do now? 

Do you pay the ransom?

First, let me state that if you haven’t downloaded Transmission, or have no idea what a BitTorrent is, you’re safe. This ransomware only affects users who have this specific application and version 2.90 of it. This means that this ransomware isn’t floating out in the ether waiting to jump on your Mac to have you pay a little over $400 (1 Bitcoin) to get your files back. 

Second, if you use Transmission check your version and if you have 2.90, then follow the steps below. If your files are encrypted because of this ransomware you can easily get rid of the virus by following the steps too:

(1) Open Terminal

(2) Open Activity Monitor

(3) In Activity Monitor look for process “Kernel_service” & the Transmission application and “force quit” them.

(4) If neither stops, look at the “PID” number next to each process and write them down or commit them to memory.

(5) In Terminal type “kill 1234” (Without quotations & replace 1234 with the number from Activity Monitor. You’ll have to do this twice because you’re stopping two different processes.)

(6) Open Finder & go to Applications

(7) Drag Transmission to the Trash can and empty it. 

After you’ve completed all the steps technically you’re done, since the virus is gone. However, there are still files lingering on your Mac from this ransomware that deal with time (the timeframe for this virus to take hold is 3 days). If you want these gone too, then follow these additional steps (remember to leave out the quotation marks when typing):

(1) Open Terminal

(2) Type “cd ~/library"

(3) Type “rm .kernel_pid”

(4) Type “rm .kernel_time"

(5) Type “rm .kernel_service"

(6) Type “rm .kernel_complete”

You may not have all of them, so don’t worry if your Mac can’t find them. After that, the files will still be encrypted so you will have to use Time Machine to pull from a backup. If you were working with Pages then most likely your documents are saved to iCloud or iCloud drive, both areas should be good to go, so don’t worry.

Lastly, as Mac malware becomes more prevalent it’s smart to protect yourself with a strong antivirus and intelligent software firewall (Intego X8 has both in one application). Intego is what I have always used and I’ve never had a problem, including Windows viruses that try to pass on when working with a Word document, since X8 can scan and quarantine those bad bits as well.

That’s it for now!

Side note: If you still trust Transmission (this really wasn't their fault) then you can update to the latest version, which gets rid of the hidden virus. 
Justin Pierce, MPS-CRM, CEH, CNDANASA Senior Cybersecurity Engineer
Dream not of today. ~ Jean-Luc Picard

Comments (1)

Justin Pierce, MPS-CRM, CEH, CNDANASA Senior Cybersecurity Engineer


Hi Ericpete,

Sorry for the reference to Intego and my site. I've removed the lines that you've asked to be taken out. Again, I'm sorry for the mishap.

Thank you for your time and take care.



Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.