Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware on mac?


  • Please log in to reply
7 replies to this topic

#1 dagerm

dagerm

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 AM

Posted 30 April 2017 - 02:07 PM

Hi,

I just find your forum by ID ransom. I tried to upload one of my corrupted file but it din't find the ransomware type case SHA1: 80b5846db917a3a8f34f259242196dc48aa5957

I'm working on Mac and two days ago 95% of my personal files became unreadable. I found that they all have been modified the 27/04/2017 in two hours time.

They still have the right extension and name but when I open them with text they look completely different than the working one.

I don't have any information about what happened... 

Just for you to know I also use parallel desktop with window 7, but since, parallel crash when I start that windows partition so I can't check on that side anymore...
 

If you've got any idea about what It could be, or what I can do to go further...

Many thanks 

 



BC AdBot (Login to Remove)

 


#2 Winnie2490

Winnie2490

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:54 PM

Posted 30 April 2017 - 04:55 PM

What a news. What to expect next? On the iPhone:mellow:?



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:54 PM

Posted 30 April 2017 - 07:55 PM

The SHA1 you posted isn't valid (incomplete), so I can't lookup your submission. It should be 40 characters, not 39.

 

Are the files that are encrypted only accessible from the Mac side? Or was there maybe shared access from Windows? Can you mount the virtual machine externally to inspect the file structure? Also, are there any ransom notes?

 

Haven't honestly seen too many Mac ransomware, but they do exist. Most add an extension.

 

Please submit again and give the proper SHA1, or you can just share the files via a third-party sharing site such as SendSpace and post the link here.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 dagerm

dagerm
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 AM

Posted 01 May 2017 - 07:40 AM

Hi,
Thank you for having a look to my post.
I tried again on ID ransom SHA1: 02552742633040b9f7bceae1b1dde8b3dcdd30b
You can find one of the file there. I've put the corrupt one and the same one that I had in backup.
https://www.sendspace.com/filegroup/YzM3RJK9V5q83OzsMInRIQ

I didn't find any ransom notes, and I don't know how to acces my windows files because parallels crash with that specific windows partition. I tried another partition and it does not crash...
I think yes, I allowed files sharing between the two because I needed to acces some mac files on windows.
If you ve got an idea on how to acces the windows files, tell me, so I can try.

thank you!



#5 dagerm

dagerm
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 AM

Posted 01 May 2017 - 08:22 AM

I manage to mount the widows image ( I just didn't know how to do it) so I can acces the windows files and see that personal files also have been modified at the same time. But I don't know where to look for a ransom note ( finder does not look into the windows partition).
 



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:54 PM

Posted 01 May 2017 - 08:34 AM

You're still doing something wrong with your copy/paste, you're cutting off the last letter. I was able to find the case by filename and found you cut off a "c" in the SHA1.

 

The files are the exact same filesize, and it doesn't look to be a weak cipher as I cannot see a pattern or anything. No filemarker or anything.

 

Afraid without a ransom note or the malware itself, there's no way to be 100% certain what ransomware it is. Statistically, PClock is the most prevalent one that doesn't leave a filemarker or add an extension to files. If it came through the Windows side, it is the mostly to be the one that encrypted the files. PClock cannot be decrypted anymore.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 dagerm

dagerm
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:54 AM

Posted 01 May 2017 - 06:01 PM

look the same as this post : https://www.bleepingcomputer.com/forums/t/645501/new-ransomware-infection;-no-note-id-ransomware-cannot-identify/

I manage to mount my broken windows partition to another one and made a scan on it. So the encryption came on my mac file from windows and parallels desktop.

 

printscreen files detected by avast

https://www.sendspace.com/file/788pft



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,969 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:54 PM

Posted 01 May 2017 - 06:14 PM

The victim in that topic most likely was dealing with PClock too.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users