KeRanger

Summary

KeRanger is the first fully functional ransomware targeting macOS, discovered in March 2016. It was distributed through compromised installers of the Transmission BitTorrent client (versions 2.90 and 2.91). The malware encrypts files on the infected system after a three-day delay and demands 1 Bitcoin (approximately $400 at the time) for decryption. Key facts: Affected over 7,000 Mac users; bypassed Apple's Gatekeeper using a valid developer certificate; removed from distribution within a day of discovery.

Background

KeRanger was discovered on March 4, 2016, by researchers at Palo Alto Networks when they detected malicious code in the Transmission 2.90 installer shortly after it was posted on the official website. Palo Alto Networks notified the Transmission project and Apple on the same day. The Transmission team removed the infected installers on March 5, 2016, and released version 2.92, which includes code to remove the malware. Apple revoked the abused developer certificate and updated its XProtect antivirus signatures on March 5, 2016, to block the malware.

Impact

• Encrypts over 300 file types, including documents, images, videos, and archives, appending .encrypted to filenames.
• Uses strong AES-256 and RSA-2048 encryption, making recovery without the key impossible.
• Potentially targets Time Machine backups, preventing easy restoration.
• Affects macOS users who downloaded Transmission 2.90 or 2.91 between March 4 and 5, 2016.
• Scope limited to approximately 7,000 downloads, but highlights supply chain attack risks.

What's Transmission

Transmission is a free, open-source BitTorrent client for macOS, Linux, and Windows, used for downloading and sharing files via the BitTorrent protocol. It is known for its simple interface and low resource usage. The KeRanger incident involved hackers compromising the official website to distribute infected installers.

Implications

KeRanger demonstrates that macOS is not immune to ransomware, challenging the perception of Apple systems as inherently secure. It poses significant operational risks, such as data loss and financial demands, and highlights vulnerabilities in software supply chains. Security risks include bypassing built-in protections like Gatekeeper, potential for backdoor access, and the need for vigilant updates and backups.

Mitigation

Immediate (0–7 days)

• Check for and remove infected Transmission app (versions 2.90/2.91).
• Kill the "kernel_service" process if running.
• Delete malware files: ~/Library/kernel_service, ~/Library/.kernel_pid, ~/Library/.kernel_time, ~/Library/.kernel_complete.
• Update to Transmission 2.92 or later.
• Run Apple's XProtect update and scan with antivirus software.

Short-Term (1–4 weeks)

• Install reputable antivirus software (e.g., detecting OSX/Filecoder.KeRanger.A).
• Back up important data to external or cloud storage not connected during infection.
• Monitor system for unusual activity.

Medium-Term (1–3 months)

• Educate users on safe downloading practices and verifying software sources.
• Enable automatic updates for macOS and applications.
• Implement file integrity monitoring.

Long-Term (3–6+ months)

• Adopt zero-trust security models and regular security audits.
• Use app stores or verified repositories for software downloads.
• Stay informed on emerging threats through security advisories.

Timeline

Key Takeaways

• KeRanger marks the first major ransomware attack on macOS, proving no platform is immune.
• Supply chain compromises, like hacking official download sites, pose significant risks.
• Rapid response from vendors (Apple, Transmission) limited the impact.
• Regular backups, updates, and antivirus are essential for protection.
• Users should verify software integrity before installation.

References

• Palo Alto Networks Analysis (Vendor Advisory)
• ESET WeLiveSecurity (Research Report)
• Reuters (Major Media)
• The Guardian (Major Media)
• Wikipedia: KeRanger

Identification Tool

Checklist for end users/technicians to confirm if a system is affected:

1. Check if Transmission is installed at /Applications/Transmission.app and verify version (via Get Info): If 2.90 or 2.91, potentially affected.
2. Look for suspicious files in ~/Library: kernel_service, .kernel_pid, .kernel_time, .kernel_complete.
3. Open Activity Monitor and search for a process named "kernel_service".
4. Check for General.rtf in /Applications/Transmission.app/Contents/Resources/ — if it's an executable (not RTF), infected.
5. If files with .encrypted extension appear after March 7, 2016, encryption has occurred.

PowerShell Check Script

Run this PowerShell script on macOS (requires PowerShell installed) to detect vulnerable Transmission version or malware files and print status:

$homeDir = $env:HOME
$filesToCheck = @(
    "$homeDir/Library/kernel_service",
    "$homeDir/Library/.kernel_pid",
    "$homeDir/Library/.kernel_time",
    "$homeDir/Library/.kernel_complete"
)
$infected = $false

# Check malware files
foreach ($file in $filesToCheck) {
    if (Test-Path $file) {
        $infected = $true
        break
    }
}

# Check Transmission version
$transmissionPlist = "/Applications/Transmission.app/Contents/Info.plist"
if (Test-Path $transmissionPlist) {
    $plistContent = Get-Content $transmissionPlist -Raw
    if ($plistContent -match '<key>CFBundleShortVersionString</key>\s*<string>(.*?)</string>') {
        $version = $matches[1]
        if ($version -eq "2.90" -or $version -eq "2.91") {
            $infected = $true
        }
    }
}

# Check for kernel_service process
$processes = Get-Process
if ($processes | Where-Object { $_.ProcessName -eq "kernel_service" }) {
    $infected = $true
}

if ($infected) {
    Write-Host "Update needed" -ForegroundColor Red
} else {
    Write-Host "OK" -ForegroundColor Green
}