KeRanger isn’t the first malware for OS X, but it’s annoying and inconvenient as most ransomware is. I wrote this little script to check for KeRanger and remove it if found on your OS X machine. Read and understand the script before you run it as you should with any code you execute on your system. This comes with no guarantee or warranties — just high-fives. Also on Github. This only works BEFORE the lockout.
#!/bin/bash # # @dustyfresh # # March 2016 # if [[ ! -e "/Applications/Transmission.app/Contents/Resources/General.rtf" || ! -e "/Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf" ]]; then echo "Yay. This machine is not infected." else echo "Infected -- we are going to need your password so we can remove KeRanger from your system." echo "Would you like to proceed with removing malware? (y/n)" read answer if [[ $answer == "y" ]]; then echo "Removing KeRanger....." sudo pkill -f 'kernel_service' &>/dev/null for f in /Users/Library/kernel_service /Applications/Transmission.app; do sudo rm -rf $f done for f in ~/Library/.kernel_pid ~/Library/.kernel_time ~/Library/.kernel_complete ~/.kernel_service; do rm -rf $f done echo "Removed. We recommend that you reboot. Would you like to reboot now?" read reboot_answer if [[ $reboot_answer == "y" ]]; then sudo reboot else exit 1 fi else exit 1 fi fi