Apple Shuts Down “KeRanger” Mac OS X Ransomware

The first, fully-functional ransomware targeting Mac computers called “KeRanger” has been permanently shut down by Apple, TechCrunch is reporting. First reported by researchers at Palo Alto Networks, this ransomware can encrypt the data on a Mac so the user can no longer access it. After that, the hackers ask the user to pay them in digital currencies like Bitcoin, in order to retrieve the files on the system.


The source notes that Apple has now “revoked the abused certificate” that was used in the attack. The cupertino company has also updated its built-in anti-malware system XProtect with a new signature to protect customers for such ransomware. Ryan Olson, Director of Threat Intelligence at Palo Alto Networks, says that their quick action combined with Apple’s fast response has “greatly limited the impact of this threat”. 

While Apple has not yet published any removal or support information regarding KeRanger, it has however confirmed that the certificate has been pulled so no one can install the affected application.

According to Palo Alto Networks, attackers infected two installers of Transmission, an open source BitTorrent client, with the malware which would then encrypt files and then demand a ransom of one bitcoin (around $400) to release the files back to the users’ control. The KeRanger application itself was signed with a valid Mac app development certificate, which is how it was able to skirt around Apple’s Gatekeeper protection mechanism. After being alerted to the threat on March 4, Apple acted quickly this weekend to revoke this certificate and update its antivirus signature, Palo Alto Networks said.

In addition, torrent app Transmission, which was a victim of the attack itself, has also updated its website to advise users to upgrade and run version 2.92.