KeRanger isn’t the first malware for OS X, but it’s annoying and inconvenient as most ransomware is. I wrote this little script to check for KeRanger and remove it if found on your OS X machine. Read and understand the script before you run it as you should with any code you execute on your system. This comes with no guarantee or warranties — just high-fives. Also on Github. This only works BEFORE the lockout.
#!/bin/bash
#
# @dustyfresh
#
# March 2016
#
if [[ ! -e "/Applications/Transmission.app/Contents/Resources/General.rtf" || ! -e "/Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf" ]]; then
echo "Yay. This machine is not infected."
else
echo "Infected -- we are going to need your password so we can remove KeRanger from your system."
echo "Would you like to proceed with removing malware? (y/n)"
read answer
if [[ $answer == "y" ]]; then
echo "Removing KeRanger....."
sudo pkill -f 'kernel_service' &>/dev/null
for f in /Users/Library/kernel_service /Applications/Transmission.app; do
sudo rm -rf $f
done
for f in ~/Library/.kernel_pid ~/Library/.kernel_time ~/Library/.kernel_complete ~/.kernel_service; do
rm -rf $f
done
echo "Removed. We recommend that you reboot. Would you like to reboot now?"
read reboot_answer
if [[ $reboot_answer == "y" ]]; then
sudo reboot
else
exit 1
fi
else
exit 1
fi
fi