KeyRanger: “Ransomware” Trojan attacks OS X users

Ransomware OSX.KeRanger.A: Transmission took action.

So far, Apple users have always been able to sit back and take a deep breath when they read reports about Trojans on Windows computers. Now, however, a new “ransomware” malware that specializes in OS X users is striking. The Mac Trojan's name is “OSX.KeyRanger.A”.

In many media it is mistaken by the first Ransomware reported for the Mac, but there was previously a ransomware malware called "FileCoder" that was also programmed for the Mac running OS X. However, this viral malware was not distributed because it was not fully programmed (see Securelist report).

KeyRanger comes with BitTorrent software “Transmission”

Ransomware OSX.KeRanger.A: Transmission took action.
Ransomware OSX.KeRanger.A: Transmission took action and cleaned up the software.

The Mac is obviously infected by the software”Transmission” (Link to the homepage of the software – clickable, not dangerous!), which is used as a BitTorrent client for the Mac and runs under OS X. Older versions of the software appear to be affected. If you are using it, you should urgently download the current version 2.92 of Transmission, because there is a patch installed that actively searches the Mac for the malware and removes it.

If you want to see for yourself whether your Mac is infected, you can use the “Activity indicator” search for a process “kernel_service”. When you find it, click on the process and then click the "i" button in the bar above the processes. Then a window opens in which you select the “Open Files and Ports” tab.

The screenshot shows the main "kernel_service" process of the KeyRanger trojan.
The screenshot shows the main process “kernel_service” of the Trojan KeyRanger.

If you find a file name like “Users/…/Library/kernel_service” in the list, then you have found the main KeyRanger process. One should close the process with the button “Exit” and then “Exit Immediately” and immediately load the new Transmission version.

Then you should check whether files like “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” exist in the “~/Library” folder. If so, also delete these files immediately.

What does the OS X Trojan do to the Mac?

The term “ransomware” describes malware that blackmails users of infected devices. In this case, KeyRanger ransomware encrypts Mac's hard drive about three days after installing "Transmission" and then extorts payment. It is recommended not to make this payment under any circumstances as it is uncertain whether you will even receive a decryption password from the extortionists.

Unfortunately, there is no way to decrypt the data afterwards, so it is best to use a backup and restore your Mac. You can see once again how important a functioning backup is - even on a Mac.

If you want to read more about what the malware is doing under OS X, you will find one here detailed report on

Apple has reacted: OS X protects against new infections

Apple has apparently already reacted and is preventing the disk image from opening if users still want to install the software (accidentally). The error message looks like this.

The OS X system prevents users from opening the infected installer.
The OS X system prevents users from opening the infected installer.


Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership would support.

Post a comment

Your e-mail address will not be published. Required fields are marked with * marked

In the Sir Apfelot Blog you will find advice, instructions and reviews on Apple products such as the iPhone, iPad, Apple Watch, AirPods, iMac, Mac Pro, Mac Mini and Mac Studio.