Apple Macs no longer immune to ransomware, but there is a (pre-emptive) fix

The first confirmed case of ransomware on a Mac was detected four months ago, according to an early report by 9to5Mac. The malware, called “KeyRanger”, was found in version 2.90 of BitTorrent client “Transmission” available in the app store, and is designed to install itself within Mac OS X, and potentially even macOS Sierra (once released), and trigger encryption of all files on the Mac’s local drives.

Just like on Windows PCs, the action is irreversible. Once the files are encrypted, there is no way to restore them, unless the requested ransom is paid in exchange for the encryption key.

It’s unclear what steps Apple has taken to curb the spread of KeyRanger, or any other variations that might already exist in the wild, but as of version 2.92 of the Transmission app, the makers of the BitTorrent client, have issued a warning to current users of Transmission 2.90, recommending to upgrade immediately to v2.91 or v2.92.

Those suspicious that KeyRanger might be lurking in their systems are advised to check for any “kernel_service” processes running in Activity Monitor. If an instance of this service is detected, the makers of Transmission recommend a full system restore to a previous version of Mac OS X, created prior to installing Transmission 2.90.

Killing the kernel_system process in Activity Monitor (Quit > Force Quit) might temporarily disable to malware, but its potential for running again on reboot is very likely, which is why a complete system restore is highly recommended.

From what is known so far, KeyRanger has been detected exclusively on Transmission 2.90, whose installation has been blocked by Apple as soon as word of KeyRanger was received.