KeyRanger: "Ransomware" Trojan attacks OS X users

Ransomware OSX.KeRanger.A: Transmission took action.

So far, Apple users have always been able to sit back and take a deep breath after reading reports about Trojans on Windows computers. But now a new "ransomware" malware that has specialized in OS X users is striking. The name of the Mac trojan is "OSX.KeyRanger.A".

Many media falsely reported the first ransomware for the Mac, but there was already an extortionate malware called "FileCoder", which was also programmed for the Mac under OS X. However, this virally created malware was not distributed because it was not completely programmed (see Securelist report).

KeyRanger comes with the BitTorrent software "Transmission"

Ransomware OSX.KeRanger.A: Transmission took action.

Ransomware OSX.KeRanger.A: Transmission took action and cleaned up the software.

The Mac is obviously infected by the software "Transmission"(Link to the homepage of the software - you can click it, it's not dangerous!), Which is used as a BitTorrent client for the Mac and runs under OS X. Older versions of the software appear to be affected. If you are using it, you should urgently download the current version 2.92 of Transmission, because there is a patch installed that actively searches the Mac for the malware and removes it.

If you want to see whether your Mac is infected, you can use the utility "Activity indicator"Search for a process" kernel_service ". If you find it, click on the process and then on the" i "button in the bar above the processes. Then a window opens in which you can select the tab" Opened files and Ports "selects.

The screenshot shows the main "kernel_service" process of the KeyRanger trojan.

The screenshot shows the main "kernel_service" process of the KeyRanger trojan.

If you find a file name like "Users /… / Library / kernel_service" in the list, you have found the main KeyRanger process. You should close the process with the button "Quit" and then "Quit immediately" and load the new transmission version immediately.

Then you should check whether files like “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” exist in the “~ / Library” folder. If so, delete these files immediately.

What does the OS X Trojan do to the Mac?

The term "ransomware" describes malware that blackmailed users of infected devices. In this case, KeyRanger ransomware encrypts the Mac's hard drive about three days after Transmission is installed and then extorts a payment. It is recommended that you do not make this payment under any circumstances, as it is uncertain whether you will even get a password from the blackmailers to decrypt.

Unfortunately, there is no way to decrypt the data afterwards, so it is best to use a backup and restore your Mac. You can see once again how important a functioning backup is - even on a Mac.

If you want to read more about what the malware is doing under OS X, you will find one here detailed report on

Apple has reacted: OS X protects against new infections

Apple has apparently already reacted and is preventing the disk image from opening if users still want to install the software (accidentally). The error message looks like this.

The OS X system prevents users from opening the infected installer.

The OS X system prevents users from opening the infected installer.



Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.

Leave a Comment

Your e-mail address will not be published.