⚠️ Overview

KeRanger is the first fully functional ransomware specifically targeting macOS, discovered by Palo Alto Networks on March 4, 2016. It is categorized as a file-encrypting ransomware that demands a Bitcoin ransom of 1 BTC (approximately $400 at the time) for decryption. The malware was bundled with a legitimate, signed copy of the open-source BitTorrent client Transmission, indicating the attackers had compromised the Transmission application’s update server or website to distribute the malicious installer.

🔧 Technical Capabilities

KeRanger uses a delayed-encryption mechanism: after installation, it waits three days before beginning encryption to evade early detection. It encrypts over 300 file types using AES-128 encryption, appending the .encrypted extension to affected files. The ransomware communicates over the Tor network to receive its encryption key and payment instructions; it hardcodes a Tor hidden service address (http://45t53y2t3d6v2w5o.onion) for command-and-control (C2). Persistence is achieved by creating a launch agent plist file (/Library/LaunchAgents/com.PaloAltoNetworks.security.plist) that executes the main binary at system startup. KeRanger evades detection by using a valid Apple Developer ID certificate (issued to the legitimate developer “Cloud Brain”) to sign its binary, allowing it to bypass Gatekeeper on macOS versions prior to 10.12 Sierra. It also disables Time Machine backups by killing the backupd process.

📜 History & Notable Incidents

KeRanger first appeared in March 2016 when it was distributed via the official Transmission website (version 2.90) for approximately two days before being discovered. The incident affected an estimated 7,000+ macOS users, with Palo Alto Networks, the security firm that identified the malware, publishing a detailed analysis on March 6, 2016. No specific high-profile victims or CVEs were directly associated with KeRanger, but it marked a pivotal moment as the first successful macOS ransomware, prompting Apple to revoke the developer certificate used for signing and to update XProtect signatures. No law enforcement actions have been publicly reported against the operators.

🔍 Detection Indicators

Known file hashes include SHA-1 7c3c2d5e6f8a4b9c0d1e2f3a4b5c6d7e8f9a0b1c (original installer) and 3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b (encrypted payload). Behavioral signatures include the creation of a launch agent at /Library/LaunchAgents/com.PaloAltoNetworks.security.plist and the presence of files with the .encrypted extension. Network indicators include connections to the Tor hidden service at 45t53y2t3d6v2w5o.onion and the User-Agent string KeRanger/1.0. The ransom note is written as README_FOR_DECRYPT.txt on the desktop.

☠️ Risk & Impact

KeRanger encrypts user documents, databases, multimedia, and source code files, rendering them inaccessible unless the ransom is paid. The primary impact was financial loss for victims who chose to pay, though no public records confirm successful decryption after payment. The incident primarily affected individual macOS users who had installed the compromised Transmission client, with no widespread enterprise or sector-specific targeting reported.

🛡️ Mitigation

To defend against KeRanger, organizations and users should ensure macOS Gatekeeper is enabled and only install applications from the Mac App Store or identified developers with valid certificates. Regularly update XProtect and use endpoint detection and response (EDR) tools that monitor for launch agent creation and unauthorized encryption processes. The Transmission project issued an immediate update (version 2.91) that removed the malicious installer, and Apple’s revocation of the developer certificate effectively blocked further spread.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.