Information about KeRanger ransomware on Mac computers


KeRanger, the first known ransomware to infect macOS, is a Trojan horse that was discovered on March 4, 2016.


KeRanger was spread through an infected version of an otherwise legitimate open source BitTorrent application—Transmission. The malicious version (2.90) of Transmission was available for download between March 4 and March 5, and was signed with a legitimate developer certificate.

The Trojan displays a ransom note demanding payment for the files to be decrypted:

example screenshot

The developers of Transmission issued a message to users of the app recommending that they upgrade immediately to version 2.91 (and later to 2.92). As of March 5, 2016 the malicious version was removed from Transmission's website. Also, Apple has revoked the misused certificate to prevent users from opening the infected installer even if it is downloaded from a third-party location.

If you have not received a demand for ransom, it does not necessarily mean that your Mac does not have the infection. KeRanger is known to stay idle for three days after initial infection. To determine if KeRanger is present, check for the following files on your Mac. If they exist, delete them and uninstall the Transmission app.

  • /Applications/ General.rtf
  • /Volumes/Transmission/ General.rtf
  • %HOME_DIR%/Library/kernel_service/kernel_service
  • %HOME_DIR%/Library/kernel_service/.kernel_pid
  • %HOME_DIR%/Library/kernel_service/.kernel_time

The TTU IT Division recommends that you have anti-virus software installed and updated on your Mac. It is good practice to run a regular scan of all files on your system to check for infections.