Ransomware on OSx 10.12 (sierra)

Discussion in 'Mac / Hackintosh' started by Denshin, Jun 28, 2020.

  1. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    Does anyone face this?
    this message just pop while installing a legit version of ableton. first time ever i got infected in 20 years using mac.What is the correct procedure to follow at this point. i'm a bit lost right now.
    106172548_605524243483675_386042401952278793_n.png
     
  2.  
  3. The Pirate

    The Pirate Audiosexual

    Joined:
    Dec 20, 2018
    Messages:
    5,172
    Likes Received:
    4,398
    Location:
    NOYMFB
    Sorry to hear that. Fuckkkk! I know this will sound stupid but are you able to read your files? How can you get infected with a LEGIT version of Ableton? Contact Ableton if that is the case. If it is coming from Ableton that means someone has gained access to their servers. it could happen. Also could you please post that READ_ME_NOW.txt. If you were using a non legit better let other desperate OSX users know. Also you should let them know what other programs you have downloaded. That will help others from getting fucked. Sorry, there is no better way to say it. On the bright side, if there is any, $50 ain't that much.
     
    • Like Like x 1
    • Agree Agree x 1
    • Useful Useful x 1
    • List
  4. JMOUTTON

    JMOUTTON Audiosexual

    Joined:
    Jan 10, 2016
    Messages:
    1,099
    Likes Received:
    909
    Location:
    Virginia
    No, I have never faced something like this but I know it can happen. It is rare (very rare) but possible.

    MacOS ransomware is more often nothing more than simple obfuscation, if your files are still readable then the message is BS just copy your files to an external backup, and change you AppleID password (the lock my Mac feature one of the ways Mac rasomware works.

    It's happened before that a legit security certificate had been stolen (Transmittion BT Client's SSC was stolen and infected versions of the client were disseminated on the web. Apple revoked the certificate within 24hours and was sucessfully able to use features in APFS+ journals and security to reverse the encryption since the malware wasn't able to install their own file encrytption service as that would require root access.

    The big protection on OS X versus ransom ware, even a software installer doesn't get full root access. Even if some hackers had notarized an Abelton installer properly to bypass gatekeeper you would have to authorize Full Disk Access separately.

    I find this to be quite fascinating and I am interested to see what is actually going on, though from a one post new account I have low expectations but I am still hoping to be pleasantly surprised.



    Read:

    https://macsecurity.net/view/158-mac-ransomware-2020
     
    • Winner Winner x 1
    • Interesting Interesting x 1
    • Useful Useful x 1
    • List
  5. The Pirate

    The Pirate Audiosexual

    Joined:
    Dec 20, 2018
    Messages:
    5,172
    Likes Received:
    4,398
    Location:
    NOYMFB
    That is what I am trying to find out. Something aint right here.:no:
     
  6. Talula

    Talula Rock Star

    Joined:
    Apr 22, 2018
    Messages:
    1,152
    Likes Received:
    349
    are you sure that the installer was real legit? where did you download it?
     
    Last edited: Jun 28, 2020
    • Agree Agree x 1
    • Winner Winner x 1
    • List
  7. mrpsanter

    mrpsanter Audiosexual

    Joined:
    Mar 28, 2014
    Messages:
    1,813
    Likes Received:
    920
    The right process is of course to give them the middle finger for the simple reason that if you pay today, nothing will prevent them to try that little game again in a week, a month or a year from now.
     
  8. mrpsanter

    mrpsanter Audiosexual

    Joined:
    Mar 28, 2014
    Messages:
    1,813
    Likes Received:
    920
    Indeed it's not a lot but if he pays, nothing will prevent them to do that again.
     
  9. statik

    statik Audiosexual

    Joined:
    Jul 3, 2014
    Messages:
    1,534
    Likes Received:
    667
    Location:
    under your bed
    nothing will prevent them from doing nothing either, no money, no files, no nothing.
     
    • Agree Agree x 2
    • Like Like x 1
    • List
  10. Valnar

    Valnar Rock Star

    Joined:
    Feb 21, 2020
    Messages:
    744
    Likes Received:
    348
    Did you really get this installer from the Ableton site :wtf:
     
    • Agree Agree x 2
    • Winner Winner x 1
    • Interesting Interesting x 1
    • List
  11. The Pirate

    The Pirate Audiosexual

    Joined:
    Dec 20, 2018
    Messages:
    5,172
    Likes Received:
    4,398
    Location:
    NOYMFB
    Staying off-line will prevent that....to a certain extent.:hillbilly:
     
  12. The Pirate

    The Pirate Audiosexual

    Joined:
    Dec 20, 2018
    Messages:
    5,172
    Likes Received:
    4,398
    Location:
    NOYMFB
    VERDICT: I think the OP was visiting places, and downloading shit that should only be downloaded from TRUSTED websites. I remember when i was a child that my mom used to warn me against accepting candies or ice cream from strangers.
     
    • Agree Agree x 2
    • Funny Funny x 2
    • Like Like x 1
    • List
  13. Caldera

    Caldera Producer

    Joined:
    Jul 24, 2012
    Messages:
    269
    Likes Received:
    147
    ALWAYS backup your system and important files on an external HDD. HDD do not cost much these days. The best investment you can do.
     
    • Agree Agree x 2
    • Like Like x 1
    • List
  14. Moonlight

    Moonlight Audiosexual

    Joined:
    Jun 12, 2011
    Messages:
    2,467
    Likes Received:
    762
    Location:
    Earth
    Write Ableton support
     
  15. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    Ok so I apologise for the poor phrasing of my first post. Here's what actually happened.

    Yes, it happened during the mounting of an official Ableton Installer but no it definitely didn't come from that installer. Sorry about the false alarm there.

    The chronology was as such :

    Ableton (Legit) wouldn't start properly after reboots. This happened a few times. Somehow if I launched Cubase 10 (also legit) then Ableton would end up loading. I though that was a strange behaviour so I went to my Installers to do a clean Install of Ableton. When I tried to mount the .dmg it got stuck halfway through. I tried a second time, it got stuck again and that's when I got the pop up window I posted telling me that my files were encrypted. So I think the Ableton thing was a simple coincidence, it could be that the installer was already corrupted by the ransomware ? Anyway.

    So I get the pop up window, I hear through my speakers "Your Files Are Encrypted". A Finder window was opened, and because I setup OSX so my Hidden Files always show, I ACTUALLY saw the ransomware starting to Encrypt the files. It would add a "-" at the start of the file and an "e" at the end. So if a file was named "Drums.wav" it would rename it to "-Drums.wav.e". and then the file would dissapear, even if my hidden files were showing.

    As soon as I saw that, I ripped off every single hard drive that was connected to my computer. Here's an interesting fact though, and I think someone mentioned it, when I started my iMac from a different clean system, the files that were missing or "encrypted" from let's say my Downloads folder, were perfectly fine when looking at them from a different system. So I Restarted again from the corrupt system, and the files were encrypted again, making that corrupted system basically unable to operate.

    The Pirate is right, this probably came from an Installer I got from a non-trusted source (as a torrent was more practical due to the size of the installer). The problem is, I scanned all the installers I recently download with three different malware detection softwares and it all came out clean, so I really don't know which one it came from. I'm also wondering if it could come from something installed earlier, but the ransomware had some sort of time bomb ? that would delay it's effects ?

    Another interesting fact is that a few days ago, my CPU starting running at 30/40% at startup with nothing at all running. After looking at the Console, I realised there was a Launch Agent for Little Snitch that was running in a loop, starting LittleSnitch Helper literally every second. This happened after the install of LittleSnitch FAILED. So LittleSnitch was NOT installed on my computer, but somehow this helper kept trying to run in the background. This makes me want to believe that it's where the Ransomware came from. Either that, of an Altiverb 7.0.5. Installer. I can point to the Installer if someone would like to take a look at it.

    But basically I had to Format the HD, re-install OSX Sierra, and start over, as I have no way to recover the Encrypted Files, no way to navigate that system at all (Unless I boot from a different system) and because I scanned it several times for Malware and nothing suspicious came up, no way to actually get rid of the fucking Ransomware...

    Let me know if you have more specific questions.
     
    • Interesting Interesting x 3
    • Like Like x 1
    • Useful Useful x 1
    • List
  16. Smoove Grooves

    Smoove Grooves Audiosexual

    Joined:
    Jan 26, 2019
    Messages:
    5,184
    Likes Received:
    1,962
    Darn. So now we won't be able to read the ReadMeNow text that was put on your desktop.
    Was hoping that would shed some light on who wanted paying.
     
  17. Creme

    Creme Kapellmeister

    Joined:
    Sep 20, 2015
    Messages:
    84
    Likes Received:
    47
    Location:
    Somewhere on the table
    Dam scary, considering your post, i just runned Malwarebyte for the first time in 20 years to check if anything was wrong...Nothing in my case, Good luck with you.
     
    • Agree Agree x 1
    • Useful Useful x 1
    • List
  18. BuntyMcCunty

    BuntyMcCunty Rock Star

    Joined:
    Nov 13, 2019
    Messages:
    594
    Likes Received:
    338
    Location:
    Liverpool
    Have you checked to see if your files are actually encrypted? When I got hit by Ransomware, they wanted $2,000 to restore my files. Fortunately I had backups for all of the important stuff -- I lost some movies and some warez files but I easily replaced them.

    But I'm not sure this could happen on a Mac given the lack of root access most processes have.

    I caught it by getting lazy -- downloading a copy of Internet Download Manager from some ropey crack website. Really stupid. I'm generally careful about such stuff, but one lazy, thoughtless moment is all it takes.
     
  19. The Pirate

    The Pirate Audiosexual

    Joined:
    Dec 20, 2018
    Messages:
    5,172
    Likes Received:
    4,398
    Location:
    NOYMFB
    @Denshin Thanks for explaining it to all of us. Hopefully, this will serve as a warning to desperate members that cant wait for a release to be posted next door, and go hunting all over the net for the latest update. months ago I warned about certain Studio One update that was did a number on a member of this forum. Are we so desperate to have the latest that we can't wait to download it from AudioZ? No freaking update is going to make you a better producer, singer, songwriter, engineer. Going out there looking for the latest can, and sooner or later will, turn into a nightmare.

    Edit: If you can, please upload all the suspect files, and send me links by PM> Do not post links here. If you can include website where you obtained them from.
     
    • Like Like x 2
    • Agree Agree x 2
    • List
  20. Creme

    Creme Kapellmeister

    Joined:
    Sep 20, 2015
    Messages:
    84
    Likes Received:
    47
    Location:
    Somewhere on the table
    Agree with that , but, in some situation (huge kontakt library for EX) using Torrent are much more convenient and i personally never face any problem in 20 years or so. SIP disable, Not antivirus.. Am i lucky? or Denshin was the exception..?
     
  21. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    @Smoove Grooves I looked at the Read_Me_Now.txt file. It seemed corrupted as it was just a bunch of ASCII.
     
    • Interesting Interesting x 1
    • List
Loading...
Similar Threads - Ransomware (sierra) Forum Date
NAS systems by QNAP & Asustor affected by Deadbolt Ransomware Computer Hardware Feb 23, 2022
ThiefQuest ransomware on Mac. Thoughts? Industry News Jul 7, 2020
Beware! New Mac Ransomware On The Scene. Live, Little Snitch, Mixed In Key. Mac / Hackintosh Jul 2, 2020
arturia v collection 6 6.21 r2r ransomware false positve? Software Oct 20, 2018
.1btc Ransomware attack #Lockcrypt Family Forum News and Updates Feb 20, 2018
Loading...