Q: I don't have Transmission, but I do have KeRanger. Help!!
-
Apr 22, 2016 3:09 PMby Kurt Lang,Your issue is likely the same as this topic:
Cryptowall (Help_Decrypt virus) in iCloud
A Windows computer on your network is infected and it was allowed access to your Mac in some way. Your very first step is to find out what Windows computer on your network is infected, erase the drive and reinstall everything from scratch. This device needs to be cleaned first or it will simply continue to affect other computers on the network.
Without a backup to restore your data, you will either have to cough up the ransom fee (and hope it works), or call them a loss. One thing for sure, DO NOT turn on your TM drive until you have booted into Recovery Mode (restart and hold down Command+R).
1) Restart in Safe Mode by restarting and holding the Shift key. Copy all unencrypted data you know doesn't exist on your backup to a flash drive, or other external source (not your TM partition). Same goes for non backed up data that is encrypted you need to somehow salvage. You may never get it back, but at least you'll have them for an attempt at some future point.
2) Restart again in Recovery Mode. Choose to erase the main startup drive, then reinstall OS X. Merge in your Time Machine backup at a date before the infection.
-
Apr 22, 2016 3:13 PMby halfgalactic,HI there,
Thank-you for your response!
As far as I knew, I wasn't on a network at all. Is there a way that I might be connected to a network without my knowing? No one in my household owns or uses a PC computer, and we haven't had any visitors who use one, either.
I am guessing that 'TM' stands for Time Machine.
-
Apr 22, 2016 3:36 PMby Kurt Lang,Yes, TM = Time Machine.
Goofed a bit. KeRanger is Mac ransomware, so Windows isn't a part of this issue. Unfortunately, such malware isn't limited to one type of software. It could have come from any number of sources, legal or illegal. Such as, anyone else with access to that Mac may have installed the Trojan version of Transmission and then removed it so you wouldn't know it had been installed. Or, illegal software carrying the ransomware was installed and again, removed to cover the tracks of the person who used your Mac for a moment, but left behind the KeRanger payload.
KeRanger is still rare, but of course not impossible to get. Your only real solution that doesn't include paying the extortion fee is to erase the drive and restore your Mac to a point before the infection. If any of the previous paragraph turns out to be true, you may not even know when that point is. So then what you need to do is erase the drive, reinstall OS X, reinstall your third party apps ONLY from clean sources, and then MANUALLY pull your unencrypted data back from the TM backup. Do not pull anything else back from TM, or allow OS X to merge it back in.
