Does anyone face this?
this message just pop while installing a legit version of ableton. first time ever i got infected in 20 years using mac.What is the correct procedure to follow at this point. i'm a bit lost right now.

 

Sorry to hear that. Fuckkkk! I know this will sound stupid but are you able to read your files? How can you get infected with a LEGIT version of Ableton? Contact Ableton if that is the case. If it is coming from Ableton that means someone has gained access to their servers. it could happen. Also could you please post that READ_ME_NOW.txt. If you were using a non legit better let other desperate OSX users know. Also you should let them know what other programs you have downloaded. That will help others from getting fucked. Sorry, there is no better way to say it. On the bright side, if there is any, $50 ain't that much.

 

No, I have never faced something like this but I know it can happen. It is rare (very rare) but possible.

MacOS ransomware is more often nothing more than simple obfuscation, if your files are still readable then the message is BS just copy your files to an external backup, and change you AppleID password (the lock my Mac feature one of the ways Mac rasomware works.

It's happened before that a legit security certificate had been stolen (Transmittion BT Client's SSC was stolen and infected versions of the client were disseminated on the web. Apple revoked the certificate within 24hours and was sucessfully able to use features in APFS+ journals and security to reverse the encryption since the malware wasn't able to install their own file encrytption service as that would require root access.

The big protection on OS X versus ransom ware, even a software installer doesn't get full root access. Even if some hackers had notarized an Abelton installer properly to bypass gatekeeper you would have to authorize Full Disk Access separately.

I find this to be quite fascinating and I am interested to see what is actually going on, though from a one post new account I have low expectations but I am still hoping to be pleasantly surprised.



Read:

https://macsecurity.net/view/158-mac-ransomware-2020

 

That is what I am trying to find out. Something aint right here.

 

are you sure that the installer was real legit? where did you download it?

 

Last edited: Jun 28, 2020

The right process is of course to give them the middle finger for the simple reason that if you pay today, nothing will prevent them to try that little game again in a week, a month or a year from now.

 

Indeed it's not a lot but if he pays, nothing will prevent them to do that again.

 

nothing will prevent them from doing nothing either, no money, no files, no nothing.

 

Did you really get this installer from the Ableton site

 

Staying off-line will prevent that....to a certain extent.

 

VERDICT: I think the OP was visiting places, and downloading shit that should only be downloaded from TRUSTED websites. I remember when i was a child that my mom used to warn me against accepting candies or ice cream from strangers.

 

ALWAYS backup your system and important files on an external HDD. HDD do not cost much these days. The best investment you can do.

 

Write Ableton support

 

Ok so I apologise for the poor phrasing of my first post. Here's what actually happened.

Yes, it happened during the mounting of an official Ableton Installer but no it definitely didn't come from that installer. Sorry about the false alarm there.

The chronology was as such :

Ableton (Legit) wouldn't start properly after reboots. This happened a few times. Somehow if I launched Cubase 10 (also legit) then Ableton would end up loading. I though that was a strange behaviour so I went to my Installers to do a clean Install of Ableton. When I tried to mount the .dmg it got stuck halfway through. I tried a second time, it got stuck again and that's when I got the pop up window I posted telling me that my files were encrypted. So I think the Ableton thing was a simple coincidence, it could be that the installer was already corrupted by the ransomware ? Anyway.

So I get the pop up window, I hear through my speakers "Your Files Are Encrypted". A Finder window was opened, and because I setup OSX so my Hidden Files always show, I ACTUALLY saw the ransomware starting to Encrypt the files. It would add a "-" at the start of the file and an "e" at the end. So if a file was named "Drums.wav" it would rename it to "-Drums.wav.e". and then the file would dissapear, even if my hidden files were showing.

As soon as I saw that, I ripped off every single hard drive that was connected to my computer. Here's an interesting fact though, and I think someone mentioned it, when I started my iMac from a different clean system, the files that were missing or "encrypted" from let's say my Downloads folder, were perfectly fine when looking at them from a different system. So I Restarted again from the corrupt system, and the files were encrypted again, making that corrupted system basically unable to operate.

The Pirate is right, this probably came from an Installer I got from a non-trusted source (as a torrent was more practical due to the size of the installer). The problem is, I scanned all the installers I recently download with three different malware detection softwares and it all came out clean, so I really don't know which one it came from. I'm also wondering if it could come from something installed earlier, but the ransomware had some sort of time bomb ? that would delay it's effects ?

Another interesting fact is that a few days ago, my CPU starting running at 30/40% at startup with nothing at all running. After looking at the Console, I realised there was a Launch Agent for Little Snitch that was running in a loop, starting LittleSnitch Helper literally every second. This happened after the install of LittleSnitch FAILED. So LittleSnitch was NOT installed on my computer, but somehow this helper kept trying to run in the background. This makes me want to believe that it's where the Ransomware came from. Either that, of an Altiverb 7.0.5. Installer. I can point to the Installer if someone would like to take a look at it.

But basically I had to Format the HD, re-install OSX Sierra, and start over, as I have no way to recover the Encrypted Files, no way to navigate that system at all (Unless I boot from a different system) and because I scanned it several times for Malware and nothing suspicious came up, no way to actually get rid of the fucking Ransomware...

Let me know if you have more specific questions.

 

Darn. So now we won't be able to read the ReadMeNow text that was put on your desktop.
Was hoping that would shed some light on who wanted paying.

 

Dam scary, considering your post, i just runned Malwarebyte for the first time in 20 years to check if anything was wrong...Nothing in my case, Good luck with you.

 

Have you checked to see if your files are actually encrypted? When I got hit by Ransomware, they wanted $2,000 to restore my files. Fortunately I had backups for all of the important stuff -- I lost some movies and some warez files but I easily replaced them.

But I'm not sure this could happen on a Mac given the lack of root access most processes have.

I caught it by getting lazy -- downloading a copy of Internet Download Manager from some ropey crack website. Really stupid. I'm generally careful about such stuff, but one lazy, thoughtless moment is all it takes.

 

@Denshin Thanks for explaining it to all of us. Hopefully, this will serve as a warning to desperate members that cant wait for a release to be posted next door, and go hunting all over the net for the latest update. months ago I warned about certain Studio One update that was did a number on a member of this forum. Are we so desperate to have the latest that we can't wait to download it from AudioZ? No freaking update is going to make you a better producer, singer, songwriter, engineer. Going out there looking for the latest can, and sooner or later will, turn into a nightmare.

Edit: If you can, please upload all the suspect files, and send me links by PM> Do not post links here. If you can include website where you obtained them from.

 

Agree with that , but, in some situation (huge kontakt library for EX) using Torrent are much more convenient and i personally never face any problem in 20 years or so. SIP disable, Not antivirus.. Am i lucky? or Denshin was the exception..?

 

@Smoove Grooves I looked at the Read_Me_Now.txt file. It seemed corrupted as it was just a bunch of ASCII.