First OS X Ransomware Spotted In Transmission BitTorrent Client Installer

Today’s article reads about the first OS X ransomware has been detected in the wild that will maliciously encrypt hard drives on intefected Macs. Found in a new version 2.92 of Transmission BitTorrent client and made available to download. That claims to actively remove the ‘KeyRanger’ malware files from the infected Mac system. What to do now, here’s how to fix?

Details on this regarding a notice that appeared on warning users that version 2.90 of the popular Mac BitTorrent client downloaded from their site may have been infected with malware. The warning reads:

Everyone running 2.90 on OS X should immediately upgrade to 2.91 or delete their copy of 2.90, as they may have downloaded a malware-infected file.

Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service”. If so, the process is KeRanger’s main process. We suggest terminating it with “Quit -> Force Quit

Are you one of those OS X users had been hit with the first known case of Mac ‘ransomware’ marlware, spotted on the Transmission BitTorrent server released last week. Infected versions of the app include ‘KeyRanger’ virus that will maliciously encrypt the user’s hard drive after three days of being installed. Malware, that later on asks you for payment to allow the user to decrypt the disk and access their data – the ‘ransom’.

Reuters resports that the infected download contained the first and foremost ‘Ransomware’ found on the Mac platform, which is certainly a type of malware that encrypts a user’ hard drive and demands payment in order to unencrypt it. This typ of attacks been increasing popular on the PC, but this would be the first time it has been seen on a Mac computer.

Apple is aware of the issue and has already revoked “a digital certificate from a legitimate Apple developer that enabled the rogue software to install on Macs.” offers instructions on how to see you are affected (above). If you don’t use the Transmission software, there is nothing you need to do at this time.

To check whether your Mac infected with it:

The security researchers suggest checking for the existence of the file ‘/Applications/’ or ‘/Volumes/Transmission/ General.rtf’.

How to fix?

If this file exists, the Transmission app is likely infected. You can also check for the existence of “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” files in the ~/Library directory. Delete the files if they exist.

Stay tuned for an official fix from Apple itself. Or

Update: Technical details about the malware.

Update 2: says version 2.92 of Transmission will actively remove the malware.