RansomWhere? is a generic OS X ransomware detector for OS X. The utility monitors home directories on OS X machines for untrusted processes that are encrypting files. The user is presented with an alert while the tool waits for the user to decide whether to allow or terminate the process. KeRanger was signed with a legitimate Apple developer ID certificate that passed it off as a legitimate application. The tool also will trust binaries signed by Apple and will not detect infections via injections into a signed binary.
Source: https://threatpost.com/generic-ransomware-detection-comes-to-os-x/117534/