View All R&D Articles

KeRanger Ransomware Infection And Decryption Services

July 22, 2016

KeRanger is the first fully functional ransomware that affects Mac OS X. It was discovered on March 4, 2016, when a compromised .dmg file was discovered on the web site of Transmission, a popular torrent client.

Once the malware is activated, it sits dormant for three days and then encrypts files on the infected computer. It then demands a ransom in exchange for decrypting the files. While the ransom does not increase over time, files will remain permanently inaccessible until the ransom is paid.’s research teams are working to find solutions for KeRanger victims and can help you resolve infections on any type of computer or network.

If your computer has been infected with KeRanger, turn it off, disconnect all Time Machine media (backup media on Mac OS X systems), and call at 1-800-237-4200 to speak with a malware expert. Our specialists are standing by to discuss your options.

What is KeRanger Ransomware (And How Does It Work)?

KeRanger is the first ransomware that targets Mac OS X. This means that after years of treating malware as a Windows problem, Mac users must finally familiarize themselves with ways to protect themselves against ransomware. Here are some key points to know about KeRanger.

  • KeRanger uses a sophisticated method to infect new victims. The attackers created a fake version of the legitimate torrent client Transmission. They gained access to Transmission’s website and replaced the real application with a Trojan. The developers had a compromised digital certificate from Apple, which caused the malware to go undetected on infected computers.
  • The malware infected application includes a file named General.rtf that is not a legitimate RTF document. It’s actually an executable program, and when a user runs the infected Transmission app, the malicious executable is copied to “kernel_service” and executed. It eventually begins encrypting various file types on the computer, attached devices, and even networked media.
  • Gatekeeper, a new security feature from Apple, blocks any app that does not have a developer ID. However, KeRanger acquired and misused a valid certificate, so Gatekeeper initially did not give any warnings about the malware.
  • KeRanger is a variant of Linux.Encoder.1, which was the first malware to target Linux users.
  • Palo Alto discovered that KeRanger’s developers appear to be working toward an attack on Time Machine in order to prevent Mac users from retrieving their backup files. If your computer is infected with KeRanger, we recommend turning your machine off immediately and disconnecting all Time Machine media to prevent the infection from spreading. is working on ways to combat KeRanger and recover files for those affected by the malware. Because we believe that KeRanger’s developers are working on ways to encrypt even backup files, it is crucial to act immediately if your computer is affected.

How Does KeRanger Ransomware Infect My System?

While many malware programs are spread through emails and hacked web sites, KeRanger has a different approach. It contains itself in a false RTF file that victims download when they install a torrent client on their computer. When that torrent client is opened by a user, the RTF file is executed, and the malware sets itself in motion.

After staying dormant for three days, KeRanger sifts through a variety of file types and encrypts them. The following is only a partial list of the files that KeRanger targets.

.asp, .avi, .class, .csh, .cpp, .db, .doc, .docx, .docm, .dot, .dotm, .eml, .flac, .gzip, .java, .jpg, .jpeg, .lua, .mp3, .mp4, .mpg, .pem, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .rar, .sql, .tar, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .te, .wav, .zip

What Ransom Payment Does KeRanger Demand for Decrypting Files?

KeRanger demands a payment of one bitcoin, which is now approximately $650 US. The ransom does not increase over time, nor is there a deadline for paying it, but your chances for recovering your files decreases as time goes on. As is often the case with ransomware, the attackers will decrypt one file for free as proof that the decryption service works.

Can I Disable KeRanger Ransomware Encryption?

If you have not already run Transmission 2.90 (the torrent client that was initially compromised), you can upgrade to 2.92, which will remove the malware file from your computer. If you have already installed the infected program, it’s possible that your files are recoverable through Time Machine.

Call the security experts at to discuss your situation. We will look for the least expensive and most effective way to recover your files, ideally without paying the ransom request. If it is possible to recover uninfected files through Time Machine or other backup systems, our specialists can provide the resources you need to complete the recovery safely. As a last resort, we can facilitate a secure bitcoin payment to fulfill the ransom requirements. may be able to restore your files, but time is a factor, and we recommend seeking immediate assistance at the first sign of KeRanger ransomware infection. Our malware experts are ready to help at 1-800-237-4200.