Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bricked Mac, ransom email.


  • Please log in to reply
15 replies to this topic

#1 powerwheels

powerwheels

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 09 May 2018 - 09:59 PM

So I have been doing some research and have not been able to find any examples quite like the situation Im in. I decided to post in this forum since a) I dont know what ransomware strain I got B) im on a Mac and c) it seems to be the advice that this guy got: https://www.bleepingcomputer.com/forums/t/676546/virus-removal-help-mac-os/#entry4489476


A couple weeks ago, I was getting ready for bed and happened to check my email to find this one titled:

Ticкet#336955432: 26-04-2018 04:32:17 Details about your future

The body read:

Hello...

Do not consider on my English, I am from Belgium.I installed the virus on your device.After that I thiefted all private information from your device. Moreover I received some more then just data.The most interesting compromising which I got- its a videotape with your self-abusing.I set malware on a porn site and after you downloaded it. The moment you selected the video and pressed play, my virus at once downloaded on your Operating System.

After setup, your front-camera made the videotape with you self-abusing, additionally I captured exactly the porn video you chose. In next few days my malicious software found all your social media and email contacts.

If you need to eliminate the records- pay me 340 euro in BTC(cryptocurrency).
Here is my Bitcoin wallet address - 18aVwkFAadCvwGBHN8vagouWBWrNEpZAaV

You have 22 h. to go after reading. As soon as I get transfer I will destroy the evidence forever. Otherwise I will forward the record to all your contacts.


The email was from order@bridgecollective.com Which I assume is faked or spoofed somehow.

I have an old 09 Mac Pro which suffers from the deep sleep bug where it goes to sleep and never wakes up requiring a hard shut down and restart. So I didnt think too much about it the previous day when I tried to wake it up and it just wouldnt show the login screen. I did start getting a little concerned after the second or third restart and I still couldnt get to the login screen.

Until I got that email. Then I knew I had a real situation on my hands!

Im still not 100% certain the actual vector of attack. But I have a couple hunches. Recently I was trying to get into programming for raspberry pi. as I was attempting to download the raspbian OS from The official website, they have two options: 1) direct download and 2) torrent. For whatever reason the direct download was not working so out of impatience I decided to go the torrent route. I havent done any torrenting in several years so I reluctantly downloaded the Vuze app. I figure the malware/ransomware could have come in that way somehow.

Another dumb thing I did recently was give out an email and social/professional media links to a couple forum members (not this one) in private messages. They were long time members who I felt could be trusted (and its not like I was giving out any info that couldnt be reasonably easily found if you were looking for me or someone like me. Its probably less likely it was one of those two guys, but still possible I guess.

Of course I never paid, and I have a time machine backcup. However, I do have another connected drive as well as the time machine back up and Im a little concerned that my time machine back up is also encrypted/locked down. Obviously I can remove the other connected disk but before doing a restore from Time Machine I guess I was just curious if anyone had heard of Time Machine back ups and other drives being affected by ransomware. Or any other info/thoughts anyone might have. I have looked and looked and just cant find the answers to any of these questions.

Edited by powerwheels, 09 May 2018 - 10:29 PM.


BC AdBot (Login to Remove)

 


#2 Twin B

Twin B

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:More Than a Mile High
  • Local time:06:50 AM

Posted 09 May 2018 - 10:14 PM

Yo Wheels, your post is unfinished. 


I've learned blood is not thicker than money. 

 


#3 powerwheels

powerwheels
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 09 May 2018 - 10:32 PM

Yo Wheels, your post is unfinished.


Thanks for the response - updated! “Post” button in a bad place!

#4 HarryBaker

HarryBaker

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:50 PM

Posted 10 May 2018 - 06:31 AM

From my knowledge, if the ransomware is designed specifically for MacOS then there is a possibility that it also got your Time Machine backup if it was directly connected. If it was a straight clone that was connected then it will most likely be ransomed but Time Machine should in theory be in tact.

 

Do you have any form of ransomware screen visible or is the mac just not booting at all?

 

Are you sure it isn't a hugely coincidental hardware fault? :wink: 



#5 powerwheels

powerwheels
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 10 May 2018 - 04:24 PM

From my knowledge, if the ransomware is designed specifically for MacOS then there is a possibility that it also got your Time Machine backup if it was directly connected. If it was a straight clone that was connected then it will most likely be ransomed but Time Machine should in theory be in tact.
 
Do you have any form of ransomware screen visible or is the mac just not booting at all?
 
Are you sure it isn't a hugely coincidental hardware fault? :wink:

Hah, how insane would that be? Pretty sure its not though.

No ransomware screen, just that email.

Mac booted, but never got to login screen.

TimeMachine was a connected drive. Now I know to have a disconnected TimeMachine backup to swap out. Hopefully not too late.

Ive already wiped ransomed drive and planning on attempting a restore from TM, but just looking for thoughts, suggestions, advice etc before doing so. Ive never had to do anything like this. Is it possible to chose a date in the past to restore to when doing this via TM?

Edit: I get that just about anything is possible, but what knowledge - if any - do you have specifically that would lead you to believe that TM could be affected? Have you read anything that claims such?

Not questioning your intelligence, but just interested if you have any more specific knowledge than there is a possibility - which I fully appreciate!

Edited by powerwheels, 10 May 2018 - 08:25 PM.


#6 jonuk76

jonuk76

  • Members
  • 2,178 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:01:50 PM

Posted 10 May 2018 - 09:14 PM

One thing that strikes me is that the e-mail doesn't mention encryption at all, merely theft of sensitive data.  Secondly, "bricking" a computer isn't a typical MO of ransomware, at least if it works as designed.  Typically there will be some sort of demonstration that your data is indeed encrypted (or indeed that they have stolen sensitive data if that is a new trend).  Bricking your computer at the outset would reduce a victims chances of paying, I should imagine.

 

I think, someone could spam that e-mail to millions of people, and given how much of the web's traffic is via those sites, you can guarantee at least a few recipients would have visited said sites and used them for that purpose, and upon reading an e-mail like that would panic and fall for it.  This would probably work without any malware ever being installed, just the threat of having an e-mail where the author appears to know what you've been up to, and is threatening to spread such material spread around your contact lists could be enough to get someone to pay up.

 

Of course, if the e-mail included some evidence that they had compromising files, and was personalised to you, that's a different matter.

 

EDIT - example of e-mail scams with similar tactics - https://nexusconsultancy.co.uk/blog/email-scam-ashamed-of-yourself/


Edited by jonuk76, 10 May 2018 - 09:24 PM.

7sbvuf-6.png


#7 powerwheels

powerwheels
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 11 May 2018 - 08:41 AM

One thing that strikes me is that the e-mail doesn't mention encryption at all, merely theft of sensitive data.  Secondly, "bricking" a computer isn't a typical MO of ransomware, at least if it works as designed.  Typically there will be some sort of demonstration that your data is indeed encrypted (or indeed that they have stolen sensitive data if that is a new trend).  Bricking your computer at the outset would reduce a victims chances of paying, I should imagine.
 
I think, someone could spam that e-mail to millions of people, and given how much of the web's traffic is via those sites, you can guarantee at least a few recipients would have visited said sites and used them for that purpose, and upon reading an e-mail like that would panic and fall for it.  This would probably work without any malware ever being installed, just the threat of having an e-mail where the author appears to know what you've been up to, and is threatening to spread such material spread around your contact lists could be enough to get someone to pay up.
 
Of course, if the e-mail included some evidence that they had compromising files, and was personalised to you, that's a different matter.
 
EDIT - example of e-mail scams with similar tactics - https://nexusconsultancy.co.uk/blog/email-scam-ashamed-of-yourself/


Another thing missing from my email is the “tracking pixel” bit.

But also most others did not seem to have mentioned that anything actually happened to their computers. I wonder if it wasn’t a wild coincidence. Sure doesn’t seem like it. It was basically a brand new drive ~1yo. So I wouldn’t think it would be hardware related, but I guess weirder things have happened. At any rate, It doesn’t seem like these scammers are sophisticated enough to have encrypted anything. Seeming like a TM restore should set everything straight. Guess I’ll find out tonight

#8 HarryBaker

HarryBaker

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:50 PM

Posted 11 May 2018 - 10:58 AM

 

One thing that strikes me is that the e-mail doesn't mention encryption at all, merely theft of sensitive data.  Secondly, "bricking" a computer isn't a typical MO of ransomware, at least if it works as designed.  Typically there will be some sort of demonstration that your data is indeed encrypted (or indeed that they have stolen sensitive data if that is a new trend).  Bricking your computer at the outset would reduce a victims chances of paying, I should imagine.
 
I think, someone could spam that e-mail to millions of people, and given how much of the web's traffic is via those sites, you can guarantee at least a few recipients would have visited said sites and used them for that purpose, and upon reading an e-mail like that would panic and fall for it.  This would probably work without any malware ever being installed, just the threat of having an e-mail where the author appears to know what you've been up to, and is threatening to spread such material spread around your contact lists could be enough to get someone to pay up.
 
Of course, if the e-mail included some evidence that they had compromising files, and was personalised to you, that's a different matter.
 
EDIT - example of e-mail scams with similar tactics - https://nexusconsultancy.co.uk/blog/email-scam-ashamed-of-yourself/


Another thing missing from my email is the “tracking pixel” bit.

But also most others did not seem to have mentioned that anything actually happened to their computers. I wonder if it wasn’t a wild coincidence. Sure doesn’t seem like it. It was basically a brand new drive ~1yo. So I wouldn’t think it would be hardware related, but I guess weirder things have happened. At any rate, It doesn’t seem like these scammers are sophisticated enough to have encrypted anything. Seeming like a TM restore should set everything straight. Guess I’ll find out tonight

 

Give the TM restore a go and see what happens. Is it a HDD or SSD. If it is a HDD then the age of the drive doesn't mean too much as it could easily get damaged at any point due to the needle and disk mechanism inside (Usually dropped or something along those lines).

 

Restore back to the earliest date you can without losing any data that you really need. It seems unlikely that it is ransomware on your machine as that would usually present a screen and not just an email. as jonuk mentioned, there is no mentioned of encryption in the email and it definitely seems like some sort of spam.

 

Restore from TM and let us know how it goes 


Edited by HarryBaker, 11 May 2018 - 10:59 AM.


#9 powerwheels

powerwheels
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 11 May 2018 - 08:33 PM

[quote name="HarryBaker" post="4494550" timestamp="1526054320"][quote name="powerwheels" post="4494493" timestamp="1526046070"]

Give the TM restore a go and see what happens. Is it a HDD or SSD. If it is a HDD then the age of the drive doesn't mean too much as it could easily get damaged at any point due to the needle and disk mechanism inside (Usually dropped or something along those lines).
 
Restore back to the earliest date you can without losing any data that you really need. It seems unlikely that it is ransomware on your machine as that would usually present a screen and not just an email. as jonuk mentioned, there is no mentioned of encryption in the email and it definitely seems like some sort of spam.
 
Restore from TM and let us know how it goes
[/quote]

HDD.

Just clicked restore from end of Jan.

We’ll see what happens I guess.

#10 powerwheels

powerwheels
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 12 May 2018 - 11:50 AM

Well basically nothing happened.

Tried to do a clean install of the OS from a boot USB I had made a while back and I got a message that it couldn’t be done. So then I went ahead and tried to do the TM restore. When I tried to boot the system afterwards all I got was a black screen (which looks really ominous at night when it’s backlit). So I tried to run disk utility, and it said everything looked fine. So I tried the OS install again just for fun, but this time happened to look at the log window; nothing but errors.

So I just ordered a new drive from amazon. Guess I’ll go from there. See you guys next week. Thanks for all your help.

#11 HarryBaker

HarryBaker

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:50 PM

Posted 14 May 2018 - 06:28 AM

Well basically nothing happened.

Tried to do a clean install of the OS from a boot USB I had made a while back and I got a message that it couldn’t be done. So then I went ahead and tried to do the TM restore. When I tried to boot the system afterwards all I got was a black screen (which looks really ominous at night when it’s backlit). So I tried to run disk utility, and it said everything looked fine. So I tried the OS install again just for fun, but this time happened to look at the log window; nothing but errors.

So I just ordered a new drive from amazon. Guess I’ll go from there. See you guys next week. Thanks for all your help.

 

Yep could be a hardware failure. Give the new drive a try and see how it goes.

 

Good luck!



#12 BeckoningChasm

BeckoningChasm

  • Members
  • 93 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:50 AM

Posted 14 May 2018 - 12:51 PM

I got the exact same email a couple of months ago, and just deleted it.  It didn't download anything to my computer, which is still working as well as Windows ever did.

 

I agree with those who say the two events were not related, and the crash just coincidentally happened after you got the email.



#13 powerwheels

powerwheels
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:50 AM

Posted 17 May 2018 - 08:53 PM

Well this is frustrating.

Got new HDD in, formatted to OSX Extended Journeled, tried to do both TM restore and clean OS install and all I get are errors. WTH am I doing wrong?! Bleeping computer indeed...

Id post a pic of the errors, but I guess I dont have enough forum posts?

#14 HarryBaker

HarryBaker

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:50 PM

Posted 18 May 2018 - 08:23 AM

What are the errors that you are getting? Not sure about the post limit to post images but can you type them out worst case or are they long errors?



#15 jonuk76

jonuk76

  • Members
  • 2,178 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:01:50 PM

Posted 18 May 2018 - 10:27 AM

You can upload images to a hosting site (e.g. imgur.com or tinypic.com ) and link to them.  If you use the "image" button in the forum toolbar, and paste the link to the image in the dialog box that opens, the forum will automatically add the appropriate code to get the image to display in the post.


Edited by jonuk76, 18 May 2018 - 10:51 AM.

7sbvuf-6.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users