Ransomware on OSx 10.12 (sierra)

Discussion in 'Mac / Hackintosh' started by Denshin, Jun 28, 2020.

  1. Talula

    Talula Rock Star

    Joined:
    Apr 22, 2018
    Messages:
    1,152
    Likes Received:
    349
    that's why I asked you and asking again: where did you download it? can you give a link for this dmg file?
     
  2. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    @BuntyMcCunty The files are sort of encrypted. Basically if I boot from the Ransomware system, the files are there but not accessible. If I access that hard drive while booting from a different system, I can see the files BUT everything that is timed at 18:01 (time at which I got the pop up window) can't be opened. I now effectively know which files have been affected by looking at the "Last Modified" time. If it's from today at 18:01 I know it got fucked and is unusable (The legit Plugin Alliance Installer for example was modified at 18:01 and so doesn't open anymore.)
     
  3. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    @Talula The Ableton Installer came from Ableton's website. I just went back to Ableton's to download an installer again (as the other one wouldn't mount) and this one mounted and worked just fine.
     
  4. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    @The Pirate I agree with you, in my case it wasn't about getting the "latest" version but as @Creme mentioned, the files (mostly Altiverb) was big and I didn't want to go through downloading 5 or 6 RapidGator links. As a matter of fact it was an older version of Altiverb. Version 7.0.5.

    I will have a look and see if I can find the .dmg of the suspect LittleSnitch version but I believe I tossed it when I realised it was faulty a few days ago.
     
  5. JMOUTTON

    JMOUTTON Audiosexual

    Joined:
    Jan 10, 2016
    Messages:
    1,099
    Likes Received:
    909
    Location:
    Virginia
    How are they inaccessible, are you getting an access denied error or a bad file | read error?
    Can you check the permissions/ownership from the console on all the affected files from your clean OS?

    If you find the culprit that infested you system may I have a link to it through PM? Also, could you PM contents the text file that was generated as well the information from GET INFO about creator / ownership / etc...

    This is pretty interesting, suck that it happened to you but it is kind of cool.
     
  6. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    @JMOUTTON I'm sorry to disappoint, but all that shit got wiped in the Format. All I have kept are the installers in the hopes that some Malware scan could find something in it. In an order to move on, I just formatted, reinstalled in order to just keep working. But yeah would have been "cool" to figure out what the fuck happened.
     
  7. Talula

    Talula Rock Star

    Joined:
    Apr 22, 2018
    Messages:
    1,152
    Likes Received:
    349
    ok... as you wish...

    but I asked because a lot of users don't look at all symbols in address.
    5-6 months ago friend asked me about purchases at retailer webshop, he was interested in safety of credit card information. our dialog was (I just change webshop address):

    me: are you sure that this is real webshop?
    friend: yes, sure.
    me: what you see address bar?
    https://www.nameofsite.net ?
    friend: yes, I see this address. everything fine, right?
    me: wait.. send me screenshot of address bar, please...

    and what I saw at screenshot? https://www-nameofsite.net

    that's all. be careful and good luck!
     
    • Like Like x 1
    • Agree Agree x 1
    • Useful Useful x 1
    • List
  8. Smoove Grooves

    Smoove Grooves Audiosexual

    Joined:
    Jan 26, 2019
    Messages:
    5,184
    Likes Received:
    1,962
    @Talula
    I helped a member via pm with something or other, plus I gave him the AZ address as a link too.
    After a few more messages, what he was saying about the site wasn't ringing true.
    I asked "are you sure you went to exactly the site address I gave you?" but no, for some unknown reason he decided to go via Google. And it turned out that if you Google AZ the top hit is a copycat site, or in his case it was, so he went there. :deep_facepalm:
    For all I I know, man got mashup by driveby malware. Not heard from since.
     
  9. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    @Talula No I perfectly understand what you are saying. But this was downloaded from My Ableton's account as I was logged in and everything. So no doubt about it. But thank you for your concern.
     
  10. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    Btw we found it. The malware came from LittleSnitch 4.5.2. which is the first version of LittleSnitch I tried to install and failed to install which resulted in the LittleSnitchHelper LaunchAgent trying to load on a loop. To be perfectly honest, it said in the comments it was a malware, but unfortunately I don't speak Russian... hint hint...

    Edit : Thanks @Creme
     
  11. Smoove Grooves

    Smoove Grooves Audiosexual

    Joined:
    Jan 26, 2019
    Messages:
    5,184
    Likes Received:
    1,962
    Wow. How did you suddenly come to that conclusion so quickly? I thought you had deleted everything.
     
  12. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    @Smoove Grooves I knew the source of the few installs I was suspecting to be the Ransomware. @Creme checked on the forum and translated the page from Russian, and all the comments are literally just saying "This is a Malware". And it's the version I have installed.
     
  13. Smoove Grooves

    Smoove Grooves Audiosexual

    Joined:
    Jan 26, 2019
    Messages:
    5,184
    Likes Received:
    1,962
    @Denshin
    So a moderator made the first comment under the new member's post about how to properly distribute.
    And all the comments before yours say that it is malware.
    Why did you install it? There are at least a few perfectly good copies on AZ, just not so recent.
    edit: ah, so I now think you are saying that you didn't read the comments at the tracker? Okay.


    Anyway. Thank you for bringing it to everyone's attention, and I'm sorry that you went through what you did.
    Btw, just use Chrome browser and it translates that site for you.
     
    Last edited: Jun 29, 2020
  14. Paul Pi

    Paul Pi Audiosexual

    Joined:
    Oct 18, 2016
    Messages:
    731
    Likes Received:
    719
    Location:
    London
    You don't say what the current permissions of the files affected... it's possible the malware had only enough time to change file permissions to 000, no?
    A mac terminal sudo ls -l path-to-directory-of-interest would give a detailed readout.
    If the file permissions have been affected thus, you can change 'em back to 222 (all users file read-only), 666 (all users file read/write) or 777 (all user file executatable) e.g. sudo chmod 666 filename
     
    Last edited: Jun 29, 2020
    • Useful Useful x 2
    • Agree Agree x 1
    • List
  15. Valnar

    Valnar Rock Star

    Joined:
    Feb 21, 2020
    Messages:
    744
    Likes Received:
    348
    Guys DO NOT use Little Snitch 4.5.2 from rutracker, its infected with the same Ransomware !!!!!!!


    probably not cubase/ableton related, did you install korg plugins? I know that one of their warez installers is infected too

    DM doesnt work, cant even visit your profile ?
     
  16. The Pirate

    The Pirate Audiosexual

    Joined:
    Dec 20, 2018
    Messages:
    5,172
    Likes Received:
    4,398
    Location:
    NOYMFB
    Blame Omnisphere:hahaha:
     
    • Funny Funny x 6
    • Winner Winner x 1
    • List
  17. iDjay

    iDjay Member

    Joined:
    Nov 7, 2019
    Messages:
    40
    Likes Received:
    8
  18. Smoove Grooves

    Smoove Grooves Audiosexual

    Joined:
    Jan 26, 2019
    Messages:
    5,184
    Likes Received:
    1,962
    Doh! Yeah, that's what we've been talking about!
     
  19. JMOUTTON

    JMOUTTON Audiosexual

    Joined:
    Jan 10, 2016
    Messages:
    1,099
    Likes Received:
    909
    Location:
    Virginia
    That's what I thought too, especially since the files were view enabled but not read enabled when viewed from a clean OS.

    Alas, the files are all gone so who knows.
     
  20. .\\0zart

    .\\0zart Newbie

    Joined:
    Sep 2, 2015
    Messages:
    11
    Likes Received:
    2
Loading...
Similar Threads - Ransomware (sierra) Forum Date
NAS systems by QNAP & Asustor affected by Deadbolt Ransomware Computer Hardware Feb 23, 2022
ThiefQuest ransomware on Mac. Thoughts? Industry News Jul 7, 2020
Beware! New Mac Ransomware On The Scene. Live, Little Snitch, Mixed In Key. Mac / Hackintosh Jul 2, 2020
arturia v collection 6 6.21 r2r ransomware false positve? Software Oct 20, 2018
.1btc Ransomware attack #Lockcrypt Family Forum News and Updates Feb 20, 2018
Loading...