KeRanger Ransomware - How To Remove?

 

KeRanger Ransomware is a newly detected infection that attacks Mac users running OS X. It is the first fully functional ransomware that affects OS X platform. The program infiltrates into computers through infected apps. Once inside, KeRanger Ransomware waits for 3 days and then connects with command and control (C2) servers over Tor network. Then it starts locking certain types of files on your system. Once it’s done, the application displays a warning on the infected system, demanding to pay 1 Bitcoin, which is around $400, if a users wants to get his files back. Here is how the message looks like:

Your computer has been locked and all your files has been encrypted with 2048-bit RSA encryption.
Instruction for decrypt:

1. Go to http://fiwf4kwysm44dpw5l.onion.to ( IF NOT WORKING JUST DOWNLOAD TOR BROWSER AND OPEN THIS LINK: http://fiwf4kwysm44dpw5l.onion.to
2. Use ****** as your ID for authentication
3. Pay 1 BTC (~407.47$) for decryption pack using bitcoins (wallet is your ID for authentication)
4. Download decrypt pack and run.

–→ Also at http://fiwf4kwysm44dpw5l.onion.to you can decrypt 1 files for FREE to make sure decryption is working.

Also we have ticket system inside, so if you have any questions – you are welcome.
We will answer only if you are able to pay and you have serious question.

IMPORTANT: WE ARE ACCEPT ONLY(!!) BITCOINS
HOW TO BUY BITCOINS:
http://localbitcoins.com/guides/how-to-buy-bitcoins
http://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)

We do not recommend following what it says, as the truth is, there are not guarantees KeRanger Ransomware will provide with legitimate decryption key. You should better try recovering your files from a backup, if you have one. The bad news is that KeRanger is still under development and it tries to prevent victims from recovering their back-up data by trying to encrypt Times Machine backup files too. So soon you may not even be able to recover your files from a backup.

The issue has been reported to Apple and The Transmission Project on March 4. Since then, Apple has updated XProtect antivirus signature, while the transmission Project has deleted malicious installers from its website.

Update: the decrypter is now available at here: link. You can download it for free and successfully decrypt your files.

Manual removal

 

Important Note: Although it is possible to manually remove KeRanger Ransomware, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on 2-viruses.com.

Processes:
Extensions:
External decryptor:
       
 

About the author

 - Main Editor
I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.
 
March 7, 2016 05:05, March 14, 2017 05:55
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *