KeRanger is a ransomware targeting macOS, first discovered in 2016. KeRanger was the first fully functional ransomware targeting macOS, discovered in March 2016. It was distributed through a compromised version of the Transmission BitTorrent client. KeRanger waited three days after infection before encrypting files and demanding a 1 Bitcoin ransom, giving it time to spread before detection. CoreLock detects this threat using CoreLock detects KeRanger through YARA signatures matching its known binary patterns, behavioral monitoring for delayed file encryption triggers, process name analysis flagging masquerading system service names, and code signing verification detecting the revoked Apple certificate used in the attack.
Also known as: OSX.KeRanger, KeyRanger
KeRanger was the first fully functional ransomware targeting macOS, discovered in March 2016. It was distributed through a compromised version of the Transmission BitTorrent client. KeRanger waited three days after infection before encrypting files and demanding a 1 Bitcoin ransom, giving it time to spread before detection.
Compromised update of the Transmission BitTorrent client (version 2.90)
Supply chain attack — the official Transmission DMG was replaced with a trojanized version
Users who downloaded Transmission from the official website during the compromise window
Installed Transmission version 2.90 during March 4-5, 2016
Files encrypted with .encrypted extension after a three-day delay
Ransom note file named README_FOR_DECRYPT.txt on Desktop
Process named 'kernel_service' running in Activity Monitor
Update Transmission to version 2.92 or later, which includes code to detect and remove KeRanger. Alternatively, uninstall Transmission entirely.
Open Activity Monitor and force-quit any process named 'kernel_service.' Delete the file at ~/Library/.kernel_pid, ~/Library/.kernel_time, and ~/Library/.kernel_complete if present.
Remove the LaunchAgent plist from ~/Library/LaunchAgents that maintains persistence. Look for files referencing kernel_service created around the infection date.
If files were encrypted, restore from a Time Machine backup dated before the infection. The encryption used by KeRanger is not trivially reversible without paying.
Run a CoreLock scan to confirm all KeRanger components have been removed and no other malware was installed during the compromise window.
Maintain regular backups with Time Machine or another solution
Verify download checksums when available, especially for open-source software
Keep software updated to receive security patches for supply chain compromises
Use CoreLock's code signing verification to detect tampered application binaries
Real-time Detection
CoreLock detects KeRanger through YARA signatures matching its known binary patterns, behavioral monitoring for delayed file encryption triggers, process name analysis flagging masquerading system service names, and code signing verification detecting the revoked Apple certificate used in the attack.
Ransomware — EvilQuest (also called ThiefQuest) is a macOS ransomware that combines file encr...
Trojan — XCSSET is a sophisticated macOS malware that infects Xcode developer projects. W...
Trojan — Silver Sparrow was a mysterious macOS malware discovered on nearly 30,000 Macs a...
KeRanger was the first fully functional macOS ransomware discovered in the wild. A proof-of-concept called FileCoder (Mabouia) existed before it, but KeRanger was the first to successfully encrypt user files and demand ransom through a real attack.
Attackers compromised Transmission's official website and replaced the legitimate DMG with a trojanized version. The malicious build was signed with a valid Apple developer certificate, allowing it to pass Gatekeeper checks.
KeRanger itself is no longer actively distributed, and the compromised Transmission version has long been replaced. However, it demonstrated that supply chain attacks targeting macOS are viable, a technique that has been repeated by later threats like XCSSET and Silver Sparrow.
Download CoreLock to detect and remove KeRanger and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows