KeRanger ransomware: What to do right now

6 March 2016, 12:51

As first reported here at Mac Kung Fu earlier, version 2.90 of the Transmission BitTorrent app might have contained the KeRanger ransomware malware.

If you downloaded, installed and/or updated Transmission over the last week you might be infected, although there’s a possibility the malware might’ve used other app installers or updates to get onto your system. We advise following these steps immediately:

1. Apple’s Xprotect background anti-malware system has already been updated to remove the threat but you’ll need to ensure your system has the latest anti-malware definitions. Open a Terminal window (it’s in the Utilities folder of the Applications list) and paste-in the following:

sudo softwareupdate --background-critical

You’ll need to type your login password when prompted.

2. Plug in a USB stick or removable drive and backup your files to it immediately. Then DISCONNECT THE DRIVE OR USB STICK and DO NOT reattach it until you know your system is clean. Note: KeRanger includes a routine to encrypt Time Machine, so DO NOT rely on that for your backup!

3. Open Activity Monitor, which is again in the Utilities folder of the Applications list, and select the CPU tab. Then click in the search field and type kernel_service. If anything is returned, select it and click the Quit Process button – the top left icon that’s an X in a circle.

4. Return to the Terminal window and paste-in the following:

rm -rf ~/Library/.kernel_time ~/Library/.kernel_complete ~/Library/kernel_service

For more details, see the Palo Alto Networks KeRanger write-up.

Leave a comment...