Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PCeU UKash ransomware how to tell if it has been removed or spread for a MAC


  • This topic is locked This topic is locked
6 replies to this topic

#1 stevelikesdylan

stevelikesdylan

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 13 May 2014 - 01:16 PM

My Mac was infected with it as seen on my Safari browser with either 12 or 24 hours to pay up. I shut down the mac and have a number of questions that I can't seem to find answers for anywhere and after hours of searching. So please help.

 

1. It the Mac is shut down will the countdown clock be stopped.

2. does the timer have any real effect

3. With the Mac shut down will if halt any of the infection spreading.

4. Will this virus spread on my home network and to dropbox

5. I can use my Mac normally, access all files and programmes except Safari and then only on my account, on other accounts it too     worked fine. Does this mean anything.

6. Will this get worse when I don't pay or don't remove it.

7. On the advice of another website I when into Safari options and clicked all the option boxes and pressed restore. Immediately everything seem to be working as normal. Could the virus now be removed?

8. How can I tell if the virus has gone.

9. I downloaded F-Secure protection and ran a scan which found nothing but would it.

10. If the virus is still there if I copy files and move them to another PC will I bring the virus with it

 

Many thanks in advance



BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:26 AM

Posted 17 May 2014 - 02:51 PM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi stevelikesdylan,
 
Sorry about the delay, we're a little busy here sometimes.
 
You had an encounter with browlock, it imitates another malware called ransomware, but does not actually affect your computer. It merely uses a script in order to stop you closing your browser. It's just trying to scare you into to paying the crooks who make this money.
If you boot your mac up again, it will not be there anymore.
For more information on what browlock is, I suggest checking out this link.
 
I believe that answers your questions, is there anything else which I can help you with?
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 stevelikesdylan

stevelikesdylan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 18 May 2014 - 08:04 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi stevelikesdylan,
 
Sorry about the delay, we're a little busy here sometimes.
 
You had an encounter with browlock, it imitates another malware called ransomware, but does not actually affect your computer. It merely uses a script in order to stop you closing your browser. It's just trying to scare you into to paying the crooks who make this money.
If you boot your mac up again, it will not be there anymore.
For more information on what browlock is, I suggest checking out this link.
 
I believe that answers your questions, is there anything else which I can help you with?
 
xXToffeeXx~

Thanks for that. Everything was fine until I opened up the link on the email from Bleeding Computer. It opened up Chrome and the malware re appeared. I only mention this because someone may be targeting your site.

 

It may be only a matter of time before one of our Macs or Windows PCs gets infected with the real ransomware. I get into a panic and I would be grateful to know the answers to my ten questions IF my machine did get infected by a Ransonmare virus

 

Many thanks



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:26 AM

Posted 18 May 2014 - 12:45 PM

Hi stevelikesdylan,

 

No worries, but a few questions on the Browlock popping up. Were you logged into your account at the time? Do you have/remember the link or post which caused this? What was the address of the sender of the email?

 

Most of this applies to Windows, as actual infections which lock your computer from starting are extremely rare on Mac, less so on Windows. So far encrypting malware is only Windows based too.

 

1. It the Mac is shut down will the countdown clock be stopped - I believe it depends on the ransomware, but mostly no (it really depends on whether the infection keeps track of time).
2. does the timer have any real effect - It depends what kind of ransomware it is, if the ransomware is cryptolocker then yes, very much so. The timer means you can pay less to get your files encrypted. As for most ransomwares, which are just fakes, the timer has no effect, apart from a few which delete themself after the timer finishes. The timer for the fake ones can take a long time, so I wouldn't rely on that, rather remove it via Hitman or similar.
3. With the Mac shutdown will if halt any of the infection spreading - If you happen to notice files are being encrypted and you see a suspiciously named file running in task manager then yes as it will stop the encryption process until you start the computer up again. Otherwise, these infections do not spread.
4. Will this virus spread on my home network and to dropbox - Same as above, an encrypting ransomware will affect networked drives and dropbox (although you can restore previous versions on dropbox) and encrypt all it can find. Fake ransomware does not spread.
5. I can use my Mac normally, access all files and programmes except Safari and then only on my account, on other accounts it too     worked fine. Does this mean anything - Fake ransomware will completely block you from being able to run anything, it runs on startup and pretty much replaces the desktop which you normally see. Encrypting ransomware will not stop you running programs, but you will not be able to access your files.
6. Will this get worse when I don't pay or don't remove it. - Hmm, well not really. If you want your files back then you will have to pay almost in every encrypting ransomware, though not all will get you your files back. As for the other fake ransomware then paying will not get you anywhere most of time, or there is no need.
7. On the advice of another website I when into Safari options and clicked all the option boxes and pressed restore. Immediately everything seem to be working as normal. Could the virus now be removed? - Yup, browlock makes no changes to your computer. It only locks your computer.
8. How can I tell if the virus has gone. - Well it's best to run your antivirus and Malwarebytes and remove anything they find.
9. I downloaded F-Secure protection and ran a scan which found nothing but would it.
10. If the virus is still there if I copy files and move them to another PC will I bring the virus with it - Nope, as long as you do not copy over any executable files then you will be fine.
 
xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 stevelikesdylan

stevelikesdylan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 19 May 2014 - 12:25 PM

 

Hi stevelikesdylan,

 

No worries, but a few questions on the Browlock popping up. Were you logged into your account at the time? Do you have/remember the link or post which caused this? What was the address of the sender of the email?

 

Most of this applies to Windows, as actual infections which lock your computer from starting are extremely rare on Mac, less so on Windows. So far encrypting malware is only Windows based too.

 

1. It the Mac is shut down will the countdown clock be stopped - I believe it depends on the ransomware, but mostly no (it really depends on whether the infection keeps track of time).
2. does the timer have any real effect - It depends what kind of ransomware it is, if the ransomware is cryptolocker then yes, very much so. The timer means you can pay less to get your files encrypted. As for most ransomwares, which are just fakes, the timer has no effect, apart from a few which delete themself after the timer finishes. The timer for the fake ones can take a long time, so I wouldn't rely on that, rather remove it via Hitman or similar.
3. With the Mac shutdown will if halt any of the infection spreading - If you happen to notice files are being encrypted and you see a suspiciously named file running in task manager then yes as it will stop the encryption process until you start the computer up again. Otherwise, these infections do not spread.
4. Will this virus spread on my home network and to dropbox - Same as above, an encrypting ransomware will affect networked drives and dropbox (although you can restore previous versions on dropbox) and encrypt all it can find. Fake ransomware does not spread.
5. I can use my Mac normally, access all files and programmes except Safari and then only on my account, on other accounts it too     worked fine. Does this mean anything - Fake ransomware will completely block you from being able to run anything, it runs on startup and pretty much replaces the desktop which you normally see. Encrypting ransomware will not stop you running programs, but you will not be able to access your files.
6. Will this get worse when I don't pay or don't remove it. - Hmm, well not really. If you want your files back then you will have to pay almost in every encrypting ransomware, though not all will get you your files back. As for the other fake ransomware then paying will not get you anywhere most of time, or there is no need.
7. On the advice of another website I when into Safari options and clicked all the option boxes and pressed restore. Immediately everything seem to be working as normal. Could the virus now be removed? - Yup, browlock makes no changes to your computer. It only locks your computer.
8. How can I tell if the virus has gone. - Well it's best to run your antivirus and Malwarebytes and remove anything they find.
9. I downloaded F-Secure protection and ran a scan which found nothing but would it.
10. If the virus is still there if I copy files and move them to another PC will I bring the virus with it - Nope, as long as you do not copy over any executable files then you will be fine.
 
xXToffeeXx~

 

Many thanks for your detailed response.

 

Two follow up questions. If it is cryptolocker if you turn off your PC and restart it in safe mode will it continue to spread and I assume you can move off any unaffected files at the same time.

 

The email that started up the malware was from

"BleepingComputer.com" <bleep@bleepingcomputer.com>

 

and the link was

http://www.bleepingcomputer.com/forums/t/534205/pceu-ukash-ransomware-how-to-tell-if-it-has-been-removed-or-spread-for-a-mac/?view=getnewpost

 

I was not logged in at the time. It was probably a coincidence, no problem



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:26 AM

Posted 19 May 2014 - 02:00 PM

Hi stevelikesdylan,
 
You are welcome.
Yes, Browlock was likely triggered by an ad. There have been a few dodgy ads around recently, this is really for google to keep on top of as Grinler (the site owner) does not choose the ads himself.
 

Two follow up questions. If it is cryptolocker if you turn off your PC and restart it in safe mode will it continue to spread and I assume you can move off any unaffected files at the same time.

Yup, cryptolocker (and this may apply to other ransomwares) works in safe mode, it adds itself in a way so that Windows will start it in even in safe mode. It's best to boot from a boot CD like a linux based one as it cannot run from that environment, and so no more files would be effected.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,039 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:26 AM

Posted 24 May 2014 - 02:29 PM

Since it has been 5 days since a reply, and the questions were answered. It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened. 


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users