How to fix Ransomware “KeRanger” virus on hard drives on infected Mac?

On Friday 4th of March, the Transmission BitTorrent client installer for operating system Mac OS X was found infected with a new malware virus ransomware, which was lately named “KeRanger. Just after a few hours of installation the problem raise abruptly. It’s quite possible that Transmission’s official website has got some errors and the files were replaced by malicious versions of virus, but the security researcher can’t confirm how this infection has occurred in Mac OS X BitTorrent client installer. The detected malware then asks users for payment to allow them to decrypt their disk & access their data. The main aim of this “KeRanger” virus is to raise money by holding the information of users until they make payment.  Mac Virus Removal and Support for Scan mac virus


There are about 300 different extensions of the malware, including:

  • Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex
  • Archives: .zip, .rar., .tar, .gzip
  • Images: .jpg, .jpeg,
  • Source code: .cpp, .asp, .csh, .class, .java, .lua
  • Email: .eml
  • Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac
  • Database: .db, .sql
  • Certificate: .pem

How to fix OS X Ransomware Key Ranger malware in infected Macs hard drives

  • Many of the users who have downloaded Transmission BitTorrent client installer from OS X official website after 11:00am PST on 4TH of March 2016 may be infected by KeRanger malware virus. If you have downloaded the Transmission installer earlier from any 3rd party websites, then it’s better to perform the following security checks.
  • Following steps help the users in identifying and removing KeRanger malware virus which holds their files for ransom:
  • Using either Finder or Terminal, check whether / Volumes / Contents / /Resources/ Applications/ General.rtf or / Transmission/ General.rtf exist. If any of these files exist, then the Transmission application is infected by Ransomware “KeRanger.” and it’s good for you to delete this version of Transmission.
  • Use “Activity Monitor” preinstalled in your operating system OS X and check whether any process named “kernel_service” is running in it. If this exists then, check the process again and choose “Open Files and Ports” option and check for a file with name “/Users/<username>/Library/kernel_service”. If this file exists, then the process is KeRanger’s. For this, it is recommended to terminate it with “Quit -> Force Quit”.
  • After following the above steps, its better to check the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in your ~/Library directory. If this exists, you should delete them instantly.
Copyright © 2000-2016 rights reserved.