{
	"id": "ddb7e10b-5d14-4ba4-b07c-c2e9bad8146e",
	"created_at": "2026-04-06T00:08:54.962739Z",
	"updated_at": "2026-04-10T03:21:34.485308Z",
	"deleted_at": null,
	"sha1_hash": "cc8e1df492356f5dd41bd912a52c29dd21b95764",
	"title": "New OS X Ransomware KeRanger Infected Transmission BitTorrent Client Installer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1063677,
	"plain_text": "New OS X Ransomware KeRanger Infected Transmission\r\nBitTorrent Client Installer\r\nBy Claud Xiao\r\nPublished: 2016-03-06 · Archived: 2026-04-05 14:45:55 UTC\r\nOn March 4, we detected that the Transmission BitTorrent client installer for OS X was infected with ransomware,\r\njust a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” The only\r\nprevious ransomware for OS X we are aware of is FileCoder, discovered by Kaspersky Lab in 2014. As FileCoder\r\nwas incomplete at the time of its discovery, we believe KeRanger is the first fully functional ransomware seen on\r\nthe OS X platform.\r\nAttackers infected two installers of Transmission version 2.90 with KeRanger on the morning of March 4. When\r\nwe identified the issue, the infected DMG files were still available for downloading from the Transmission site\r\n(hxxps://download.transmissionbt.com/files/Transmission-2.90[.]dmg) Transmission is an open source project. It’s\r\npossible that Transmission’s official website was compromised and the files were replaced by re-compiled\r\nmalicious versions, but we can’t confirm how this infection occurred.\r\nFigure 1 KeRanger hosted in Transmission's official website\r\nThe KeRanger application was signed with a valid Mac app development certificate; therefore, it was able to\r\nbypass Apple’s Gatekeeper protection. If a user installs the infected apps, an embedded executable file is run on\r\nthe system. KeRanger then waits for for three days before connecting with command and control (C2) servers over\r\nthe Tor anonymizer network. The malware then begins encrypting certain types of document and data files on the\r\nsystem. After completing the encryption process, KeRanger demands that victims pay one bitcoin (about $400) to\r\na specific address to retrieve their files. Additionally, KeRanger appears to still be under active development and it\r\nhttp://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/\r\nPage 1 of 8\n\nseems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering\r\ntheir back-up data.\r\nPalo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple\r\nhas since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has\r\nremoved the malicious installers from its website. Palo Alto Networks has also updated URL filtering and Threat\r\nPrevention to stop KeRanger from impacting systems.\r\nTechnical Analysis\r\nThe two KeRanger infected Transmission installers were signed with a legitimate certificate issued by Apple. The\r\ndeveloper listed this certificate is a Turkish company with the ID Z7276PX673, which was different from the\r\ndeveloper ID used to sign previous versions of the Transmission installer. In the code signing information, we\r\nfound that these installers were generated and signed on the morning of March 4.\r\nFigure 2 Code signing information of KeRanger\r\nThe KeRanger infected Transmission installers include an extra file named General.rtf in the\r\nTransmission.app/Contents/Resources directory. It uses an icon that looks like a normal RTF file but is actually a\r\nMach-O format executable file packed with UPX 3.91. When users click these infected apps, their bundle\r\nexecutable Transmission.app/Content/MacOS/Transmission will copy this General.rtf file to\r\n~/Library/kernel_service and execute this “kernel_service” before any user interface appearing.\r\nFigure 3 The malicious executable pretends to be an RTF document\r\nhttp://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/\r\nPage 2 of 8\n\nFigure 4 KeRanger executes the extra General.rtf file\r\nAfter unpacking the General.rtf with UPX, we determined that its main behavior is to encrypt the user’s files and\r\nhold them for ransom.\r\nThe first time it executes, KeRanger will create three files “.kernel_pid”, “.kernel_time” and “.kernel_complete”\r\nunder ~/Library directory and write the current time to “.kernel_time”. It will then sleep for three days. Note that,\r\nin a different sample of KeRanger we discovered, the malware also sleeps for three days, but also makes requests\r\nto the C2 server every five minutes.\r\nFigure 5 KeRanger sleeps for three days before fully executing\r\nThe General.rtf will collect infected Mac’s model name and UUID, upload the information to one of its C2\r\nservers. These servers’ domains are all sub-domains of onion[.]link or onion[.]nu, two domains that host servers\r\nonly accessible over the Tor network.\r\nThe executable will keep trying to connect with the C2 server until it respond with two lines of encoded data.\r\nAfter decoding these two lines using Base64, the first line contains an RSA public key and the second line is\r\nwritten to files named “README_FOR_DECRYPT.txt.”\r\nhttp://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/\r\nPage 3 of 8\n\nFigure 6 Connect with C2 server and get instructions\r\nWhen we were analyzing the samples, the C2 server returned the data for the README_FOR_DECRYPT.txt\r\nshown in following picture. It asks victims to pay exactly one bitcoin (currently around $400) through a specific\r\nTor network website to decrypt the files. The website will then guide victims to buy a bitcoin from somewhere\r\nelse and transfer to the attacker at the address of “1PGAUBqHNcwSHYKnpHgzCrPkyxNxvsmEof”.\r\nFigure 7 README file ask victim to pay Bitcoin\r\nFigure 8 Tor website to transfer bitcoin and get decryption pack\r\nAfter connecting to the C2 server and retrieving an encryption key, the executable will traverse the “/Users” and\r\n“/Volumes” directories, encrypt all files under “/Users”, and encrypt all files under “/Volumes” which have certain\r\nfile extensions.\r\nThere are 300 different extensions specified by the malware, including:\r\nhttp://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/\r\nPage 4 of 8\n\nDocuments: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls,\r\n.xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex\r\nImages: .jpg, .jpeg,\r\nAudio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac\r\nArchives: .zip, .rar., .tar, .gzip\r\nSource code: .cpp, .asp, .csh, .class, .java, .lua\r\nDatabase: .db, .sql\r\nEmail: .eml\r\nCertificate: .pem\r\nFigure 9 Encrypt all files under \"/Users\" and all specific files under \"/Volumes\"\r\nKeRanger statically linked an open source encryption library named mbed TLS (formerly PolarSSL).\r\nAs KeRanger encrypts each file (i.e. Test.docx) starts by creating an encrypted version that uses the .encrypted\r\nextension (i.e. Test.docx.encrypted.) To encrypt each file, KeRanger starts by generating a random number (RN)\r\nand encrypts the RN with the RSA key retrieved from the C2 server using the RSA algorithm. It then stores the\r\nencrypted RN at the beginning of resulting file. Next, it will generate an Initialization Vector (IV) using the\r\noriginal file’s contents and store the IV inside the resulting file. After that, it will mix the RN and the IV to\r\ngenerate an AES encryption key. Finally, it will use this AES key to the contents of the original file and write all\r\nencrypted data to the result file.\r\nFigure 10 Encrypt each\r\nfile’s content by AES\r\nhttp://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/\r\nPage 5 of 8\n\nIn addition to this behavior, it seems like KeRanger is still under development. There are some apparent functions\r\nnamed “_create_tcp_socket”, “_execute_cmd” and “_encrypt_timemachine”. Some of them have been finished\r\nbut are not used in current samples. Our analysis suggests the attacker may be trying to develop backdoor\r\nfunctionality and encrypt Time Machine backup files as well. If these backup files are encrypted, victims would\r\nnot be able to recover their damaged files using Time Machine.\r\nFigure 11 Function \"_encrypt_timemachine\" is implemented but not used yet\r\nMitigations\r\nWe reported the issue to the Transmission Project and to Apple immediately after we identified it. Apple has since\r\nrevoked the abused certificate, and Gatekeeper will now block the malicious installers. Apple has also updated\r\nXProtect signatures to cover the family, and the signature has been automatically updated to all Mac computers\r\nnow. As of March 5, Transmission Project has removed the malicious installers from its website.\r\nWe have also updated URL filtering and Threat Prevention to stop KeRanger from impacting Palo Alto Networks\r\ncustomers.\r\nHow to Protect Yourself\r\nUsers who have directly downloaded Transmission installer from official website after 11:00am PST, March 4,\r\n2016 and before 7:00pm PST, March 5, 2016, may be been infected by KeRanger. If the Transmission installer\r\nwas downloaded earlier or downloaded from any third party websites, we also suggest users perform the following\r\nsecurity checks. Users of older versions of Transmission do not appear to be affected as of now.\r\nWe suggest users take the following steps to identify and remove KeRanger holds their files for ransom:\r\n1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/\r\nGeneral.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of\r\nthese exist, the Transmission application is infected and we suggest deleting this version of Transmission.\r\n2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is\r\nrunning. If so, double check the process, choose the “Open Files and Ports” and check whether there is a\r\nfile name like “/Users/\u003cusername\u003e/Library/kernel_service” (Figure 12). If so, the process is KeRanger’s\r\nmain process. We suggest terminating it with “Quit -\u003e Force Quit”.\r\n3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”,\r\n“.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.\r\nhttp://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/\r\nPage 6 of 8\n\nFigure 12 The malicious \"kernel_service\" process\r\nSince Apple has revoked the abused certificate and has updated XProtect signatures, if a user tries to open a\r\nknown infected version of Transmission, a warning dialog will be shown that states “Transmission.app will\r\ndamage your computer. You should move it to the Trash.” Or “Transmission can’t be opened. You should eject the\r\ndisk image.” In any case if you see these warnings, we suggest to follow Apple’s instruction to avoid being\r\naffected.\r\nFigure 13 OS X system prevent user to open the infected installer\r\nAcknowledgements\r\nWe greatly thank Yi Ren, Yuchen Zhou, Jack Wang, Jun Wang from Palo Alto Networks for helping to analyze\r\nKeRanger and protect our customers in a timely fashion. Thanks to Richard Wartell, Ryan Olson and Chad\r\nBerndtson from Palo Alto Networks for their assistance during the analysis and reporting.\r\nhttp://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/\r\nPage 7 of 8\n\nIOCs\r\nSamples of Ransomware.OSX.KeRanger\r\nd1ac55a4e610380f0ab239fcc1c5f5a42722e8ee1554cba8074bbae4a5f6dbe1 Transmission-2.90.dmg\r\ne3ad733cea9eba29e86610050c1a15592e6c77820927b9edeb77310975393574 Transmission\r\n31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9 General.rtf\r\nd7d765b1ddd235a57a2d13bd065f293a7469594c7e13ea7700e55501206a09b5 Transmission\r\n2.90.dmg\r\nddc3dbee2a8ea9d8ed93f0843400653a89350612f2914868485476a847c6484a Transmission\r\n6061a554f5997a43c91f49f8aaf40c80a3f547fc6187bee57cd5573641fcf153 General.rtf\r\nDomains\r\nlclebb6kvohlkcml.onion[.]link\r\nlclebb6kvohlkcml.onion[.]nu\r\nbmacyzmea723xyaz.onion[.]link\r\nbmacyzmea723xyaz.onion[.]nu\r\nnejdtkok7oz5kjoc.onion[.]link\r\nnejdtkok7oz5kjoc.onion[.]nu\r\nSource: http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/\r\nhttp://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/"
	],
	"report_names": [
		"new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer"
	],
	"threat_actors": [],
	"ts_created_at": 1775434134,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cc8e1df492356f5dd41bd912a52c29dd21b95764.pdf",
		"text": "https://archive.orkl.eu/cc8e1df492356f5dd41bd912a52c29dd21b95764.txt",
		"img": "https://archive.orkl.eu/cc8e1df492356f5dd41bd912a52c29dd21b95764.jpg"
	}
}