Mac Ransomware Removal: What To Do To Protect Your Mac

By on

Apple?s Mac OS X systems have been affected by a first-ever ransomware attack that is targeting users of the torrent client Transmission.

Ransomware is a malware that is designed to infect a computer and then hold the owner to a ransom, locking up files or functionality and essentially bricking the device until the user pays to have the problem neutralised.

The security firm Palo Alto networks first discovered the ransomware that has been named ?KeRanger? when it infected two installers of Transmission version 2.90. The malware imposes a 72-hour lockout window unless the victim pays 1 bitcoin which is around $400. According to the website, users who have directly downloaded the Transmission installer from the official website after 11:00 a.m. PST, March 4, 2016, and before 7:00 p.m. PST, March 5, 2016, may have been infected by KeRanger.

Here is how to protect your Mac (via MacKungfu):

  1. Update your Apple Xprotect anti-malware system for latest anti-malware definitions that will automatically remove the threat. Click Open the Applications list, go to Utilities folder and open a Terminal window and paste the following: sudo softwareupdate –background-critical.
    You?ll need to type-in your login password when prompted.
  2. Backup your important files with a USB device or any other removable device. Then disconnect your usb stick or removable drive and DO NOT reattach it until you know your system is clean. KeRanger includes a routine to encrypt Time Machine, so DO NOT rely on that for your backup!
  3. Open the Activity Monitor via Applications, Utilities, and select CPU tab to check if any ?kernel_service? is running. Double check the process, choose the ?Open Files and Ports? and check for the file name like ?/Users//Library/kernel_service.? This is KeRanger?s main process and need to be terminated with ?Quit -> Force Quit.?
  4. Return to the Terminal window and paste-in the following: rm -rf ~/Library/.kernel_time ~/Library/.kernel_complete ~/Library/kernel_service
  5. Just to be sure, use either Terminal or Finder, to check whether /Applications/ General.rtf or /Volumes/Transmission/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.

Users who still want to download the Transmission app should check out the newer version of the app. has recommended users to install version 2.92 of the Transmission app which will actively remove the malware.

Furthermore, we recommend to avoid untrustworthy websites such as files sharing and torrent sites which have high incidence of malware infections. Do not install softwares from installers that are not recommended by Apple to keep your system safe.

About the author

To Top