Our Latest News

Protect Your Mac from Ke Ranger Ransomware Attacks: Here’s How

April 10, 2017

Ransomware is a powerful malware that can impact even the most secure IT systems and is a nuisance for app developers, system administrators, and users. Ransomware can encrypt or lock files that are stored on your Mac and demand ransom to decrypt or unlock the files. There are several versions of the malware that can cause varying levels of damage to Mac systems, from simple files to master file tables, and eventually the hard drive. One advanced ransomware is KE Ranger that forces Mac users to pay heavily for the decryption key to unlock the affected files. To protect your Mac against ransomware or remove it before it encrypts your files, you need a top anti-ransomware and MacBook cleaner app. iDoctor combines both utilities in one easy-to-use and affordable package.

Let us take a closer look at the ransomware and see how to protect your MacBooks.

What Is Ke Ranger?

Ke Ranger was the first operational, advanced ransomware to impact MacBooks. The malware code first appeared on a 2.90 version of Transmission, a Bittorrent client for OSX. It encrypts the hard drives of affected Macs and denies file access for the users. The victim is then asked to pay a ransom (approximately  $400, payable as one Bitcoin) to unlock the system and its files.


During the first execution, Ke Ranger creates three files: “.kernel_time”, “.kernel_pid”, and “.kernel_complete”, under the /Library path in the Mac’s system directory. The ransomware also rewrites the current time to “.kernel_time”, after which it goes dormant for three days. Subsequently, the malware collects system information of the Mac, including the model name and the UUID, while uploading the same to its Command and Control servers (whose domains are the subdomains of onion[.]nu or onion[.]link). After the three-day period, the ransomware also reconnects with the Command and Control servers and returns the data as a "README_FOR_DECRYPT.txt" file. It also displays a message that all files on the Mac have been encrypted.

Checking for Infection

  • If you have recently downloaded the 2.90 version of Transmission, look for files with the names “Applications/Transmission.app/Contents/Resources/General.rtf" or "/Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf". These files are infected, and you must delete the Transmission app immediately.

  • Use the Activity Monitor to check whether any activity named kernel_service is running. If  there is an activity with such name, select Open Files and Ports to look for files with the name "/Users//Library/kernel_service". You must delete any such files immediately.

  • Delete files with the names .kernel_pid, .kernel_time, .kernel_complete, or kernel_service  from the ~/Library directory.

iDoctor Can Help Avoid the Risk

Ke Ranger is a fairly new threat to Mac users, and researchers are yet to come up with a concrete solution. When the files are affected, it becomes very very difficult to decrypt them. As a safe practice, always use genuine software for your Mac, preferably from the App Store. Download the iDoctor app to get protection from all known malware and free up disk space on your Mac OS X. The MacBook cleaner app is not only effective, but also simple to use, and it completely protects all files on your Mac from ransomware, including KE Ranger. To connect with our technical experts, download and execute our iDoctor Remote Support Tool or fill out our contact form.

Recent posts