Last active
March 9, 2016 03:03
-
-
Save dustyfresh/cc703163ced4cd2715e4 to your computer and use it in GitHub Desktop.
KeRanger ransomware removal script for OSX
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# | |
# @dustyfresh | |
# | |
# March 2016 | |
# | |
if [[ ! -e "/Applications/Transmission.app/Contents/Resources/General.rtf" || ! -e "/Volumes/Transmission/Transmission.app/Contents/Resources/General.rtf" ]]; then | |
echo "Yay. This machine is not infected." | |
else | |
echo "Infected :( We are going to need your password so we can remove KeRanger from your system." | |
echo "Would you like to proceed with removing malware? (y/n)" | |
read answer | |
if [[ $answer == "y" ]]; then | |
echo "Removing KeRanger....." | |
sudo pkill -f 'kernel_service' &>/dev/null | |
for f in /Users/Library/kernel_service /Applications/Transmission.app; do | |
sudo rm -rf $f | |
done | |
for f in ~/Library/.kernel_pid ~/Library/.kernel_time ~/Library/.kernel_complete ~/.kernel_service; do | |
rm -rf $f | |
done | |
echo "Removed. We recommend that you reboot. Would you like to reboot now?" | |
read reboot_answer | |
if [[ $reboot_answer == "y" ]]; then | |
sudo reboot | |
else | |
exit 1 | |
fi | |
else | |
exit 1 | |
fi | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment