Ransomware Research

KeRanger Ransomware

KeRanger is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on March 1, 2016, this ransomware has been actively targeting systems worldwide.

Quick Facts

Ransomware Family
KeRanger
First Seen
March 1, 2016

How KeRanger Ransomware Works

Targeted Files

For MacOS

File Encryption Patterns

KeRanger modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..encrypted

Ransom Note and Payment Demands

After encrypting files, KeRanger displays ransom notes demanding payment for file recovery:

fileREADME_FOR_DECRYPT.txt

Ransom message:

notes/README_FOR_DECRYPT.txt

Technical Indicators

Associated Executable Files

The following executable files are associated with KeRanger ransomware:

  • Transmission-2.90.dmg
  • 31b6adb633cff2a0f34cefd2a218097f3a9a8176c9363cc70fe41fe02af810b9_dmg
  • KeRanger
  • 2.dmg
  • Transmission-2.90-infected.dmg
  • 1d6297e2427f1d00a5b355d6d50809cb _Transmission-2.90.dmg_d1ac55
  • Transmission-2.90.dmg.bin
  • 1d6297e2427f1d00a5b355d6d50809cb _Transmission-2.90.dmg
  • Transmission-2.90.dmg_d1ac55
  • A.dmg
  • Transmission-2.90.dmg_
  • 1.dmg
  • Transmission-2.90-2.dmg
  • Transmission-2.90_1.dmg
  • Transmission
  • 8
  • 56b1d956112b0b7bd3e44f20cf1f2c19 _Transmission
  • KeRanger.3..Mach-O
  • 1_Transmission
  • General.rtf
  • kernel_service
  • 1.rtf
  • test2
  • 14a4df1df622562b3bf5bc9a94e6a783 _General.rtf_
  • 58c99fe20b348702b936abb0
  • General.upx
  • 4.dmg
  • Transmission-2.90-DO-NOT-touch.dmg
  • Transmission-2.90.dmg_d7d765
  • Transmission-2.901.dmg
  • Transmission-2.90_d7d765.dmg
  • Transmission-2.90_2.dmg
  • Transmission-2.90.2dmg
  • 7
  • test1
  • 3151d9a085d14508fa9f10d48afc7016 _Transmission
  • 2_Transmission
  • 5.rtf
  • 861c3da2bbce6c09eda2709c8994f34c _General.rtf_
  • General_.upx

Elastio Can Help You

Don't let KeRanger ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This KeRanger ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like KeRanger.

Last updated: July 30, 2025