Remove Mac Ransomware: How To Tell If You're Infected By KeRanger And Recovery Steps

Macs' reputation as relatively virus-free systems has been a major selling point for the Apple computers through the years. But over the weekend they were exposed to the first major ransomware attack on the Apple ecosystem, a sign that Mac users are becoming larger targets for cybercriminals.

On the morning of March 4, users of the popular file-sharing program Transmission got an unwelcome surprise. The bitTorrent service had installed malware that threatened to encrypt their data, leaving them unable to access their files. The virus didn't immediately kick in but was instead programmed to begin encrypting data 72 hours after it was installed. But once the malware encrypts the files, the user's only recourse is paying the attackers one bitcoin, a virtual currency worth $410, according to security research company Palo Alto Networks.

Users who downloaded version 2.90 of Transmission after Saturday morning may have been infected by the malware. Dubbed “KeRanger”, it's especially scary because it not only encrypts files but also attempts to encrypt the user’s Time Machine backup to prevent additional data-recovery methods. As the name implies, ransomware is a piece of malicious software that blocks access to a computer or files until a fee is paid, often through money orders or the bitcoin virtual currency.

For affected Transmission users, if the ransomware hasn’t already been activated on your computer, it is possible to prevent it from encrypting your files. Here’s what to look for and how to remove the ransomware from your Mac.

1. Using either Terminal or Finder, check for a file named “General.rtf” in:

/Applications/Transmission.app/Contents/Resources/ and /Volumes/Transmission/Transmission.app/Contents/Resources/

If the file exists in either directory, the copy of Transmission is infected and the app should be deleted.

2. Using Activity Monitor, look for a process called “kernel_service” within the app. Double-click the process and click “Open Files and Ports” in the window that opens. If there’s a file listed such as “/Users//Library/kernel_service,” that’s the main process used by the KeRanger ransomware. Users should force-quit the app via the activity monitor.

3. Additionally, users should also check for files “.kernel_pid,” “.kernel_time,” “.kernel_complete,” and “kernel_service” in the ~/Library directory and delete them if they exist.

If you’re not comfortable with digging around through directories, Transmission has also released an updated version of the BitTorrent client that will automatically look for the malware and remove it after launching the updated app.

While this is the first fully functional ransomware software to hit Macs, it isn’t the first time attackers have attempted to get ransomware installed on Apple's operating system. That title belongs to a 2014 unfinished piece of malware called “FileCoder,” according to SecureList. The malware would have encrypted files and held them for a ransom of 20 euro ($21), but the software was incomplete at the time and wasn’t fully functional.

As for the first Mac virus, that was Leap-A worm, which in 2006 spread through the iChat messaging system via an attachment sent to people on a user's contact list, according to Sophos.