How to Remove Ransomware from Mac (Instructions)

How to Remove Ransomware from Mac

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

What is a ransomware infection? How to remove a ransomware virus from Mac? Can ransomware infect a Mac? How to stop ransomware on Mac?

A ransomware virus is the type of virus that encrypts your files or denies access to your computer, until you pay ransom.Ransomware viruses are not showing any sign of slowing down. If there is something that they are showing is more variants in terms of variety an more operating systems to which they are spread. In this article we will explain more about ransomware viruses on Mac and how you can remove them and prevent any damage to your files.

Threat Summary

NameMac Ransomware
TypeRansomware for Mac OS
Short DescriptionAims to encrypt the important files on your Mac and ask you to pay ransom to get the encrypted files to work.
SymptomsFiles are encrypted and cannot be opened. A ransom note may appear as a text file or a wallpaper.
Distribution MethodVia spam e-mails, fake apps or malicious links and files on shady sites.
Detection Tool See If Your System Has Been Affected by Mac Ransomware


Combo Cleaner

User ExperienceJoin Our Forum to Discuss Mac Ransomware.

Ransomware for Mac – How Did I Get It and What Does It Do?

As interesting as it may seem, Ransomware viruses for Mac are not something new. The distant 2016 gave birth of the KeRanger ransomware virus for Mac – a dangerous cryptovirus that encrypted files and held them hostage. The virus used to spread and infect Macs by exploiting a security certificate in Mac OS’s GateKeeper. The virus was luckily contained and for now things seem normal about this ransomware family.

When it comes to how ransomware for Mac infects, the main method is via hacked website, like the previously used by KeRanger ransomware “” site. It was hacked and the download for the Transmission torrent client was replaced with the virus file of KeRanger, containing the ransomware virus In it. Another method via which you could also become a victim of a ransomware virus is if you happen to download the virus file from an e-mail sent to you. Usually, some ransoware viruses tend to replicate e-mail attachments that are legitimate and important documents, like receipts, invoices and other e-mails of such form. Those e-mails are carefully masked, like the example of a virus e-mail shown below:

Once you become a victim of a ransomware virus, the following files on your Mac could be endangered:

Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex
Images: .jpg, .jpeg,
Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac
Archives: .zip, .rar., .tar, .gzip
Source code: .cpp, .asp, .csh, .class, .java, .lua
Database: .db, .sql
Email: .eml
Certificate: .pem

The encryption process may be of different encryption algorithms, like the following:

  • AES (Advanced Encryption Standard).
  • Salsa20.
  • RSA (Rivest-Shamir Adleman).
  • EDA.
  • CBC mode.

After encryption, the ransomware virus may add a ransom note, where the criminals usually request a ransom to be paid to get the files back. The ransom is usually paid in BitCoin and can vary from hundreds of dollars to thousands.

Remove Ransomware from Your Mac

Unlike Windows operating system, ransomware for Mac may be a bit trickier for removal. Some viruses, like the Padlock ransomware for Mac aim to lock your entire screen, preventing you from even accessing your Mac. For those cases, it is required to do the fixes we have provided in the instructions below in Safe Mode on Mac. To boot your Mac In Safe Mode, folow these steps:

Step 1: Start or reset your Mac device and then hold the SHIFT key. The Apple logo shall appear on your display.
Step 2: You will see a login Window. When you see it, release the SHIFT key and you are done. You might be asked to enter your username and password for verification.

In addition to those steps, you could also additionally apply the following fixes to your Mac:

1. Using either Terminal or Finder, check whether /Applications/ General.rtf or /Volumes/Transmission/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service”. If so, the process is the ransomware virus’s main process. We suggest terminating it with “Quit -> Force Quit”.
3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.

For maximum effectiveness, we recommend scanning your Mac with a professional anti-malware program, besides doing the fixes below. Such specific program will effectively make sure to detect and remove any viruses from your Mac and locate and eliminate all of the malicious components safely.

And when it comes to your files, we suggest to back them up and look for an update of your virus from researchers in the future. In the meantime you could try using Data Recovery or other types of damage control programs.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share