Mac ransomware

[Deleted User]

On Facebook there's been a trending article today about the first known ransomware for Mac computers. Some of the files on the computer get encrypted and you have to pay the hackers 280 pounds to access them again.

My questions are, why not just pay the money and then ask your credit card company to do a chargeback or reverse the transaction? Wouldn't it be easy for the guys doing this to be traced when they try to spend or withdraw the money?

And if you're wondering, yes, I am a tech retard.

 

[Touko White]

How can you get infected by this? Is it through downloading crap software, or are there other ways to catch it, as well?
I don't need to lose my passwords.

 

[Xenon Hacks]

On Facebook there's been a trending article today about the first known ransomware for Mac computers. Some of the files on the computer get encrypted and you have to pay the hackers 280 pounds to access them again.

My questions are, why not just pay the money and then ask your credit card company to do a chargeback or reverse the transaction? Wouldn't it be easy for the guys doing this to be traced when they try to spend or withdraw the money?

And if you're wondering, yes, I am a tech retard.

Most if not all of the time people pay but no unlock happens.

 

[Sicklyboy]

They also usually want it through Western Union or disposable credit gift cards, so nigh impossible to get chargebacks on those

 

[FAST6191]

My questions are, why not just pay the money and then ask your credit card company to do a chargeback or reverse the transaction? Wouldn't it be easy for the guys doing this to be traced when they try to spend or withdraw the money?

Originally they would ask for it via some hard to follow method like Western Union, the more recent stuff uses bitcoins. Easy to trace methods are avoided for the reasons you mention.

Most if not all of the time people pay but no unlock happens.

Got any kind of data? Kidnapping and ransoms there do work better when as a trend the people do come home. I have not read any kind of analysis of people paying the scammers though.

 

[Sicklyboy]

Well, speaking of...

http://researchcenter.paloaltonetwo...ted-transmission-bittorrent-client-installer/

from /r/netsec

 

[mashers]

This is why I love my Time Capsule. Restore the file in seconds, then kindly tell the ransomers to fuck off.

 

[Sicklyboy]

This is why I love my Time Capsule. Restore the file in seconds, then kindly tell the ransomers to fuck off.

I'm not very versed in Mac terminologies, so educate the un-wise in the difference between "Time Machine" and "Time Capsule"? Is Time Machine kind of like Windows' 'Shadow Copies' and "Time Capsule" an external backup? Because the article says that unfortunately it also encrypts Time Machine backups.

 

[Raylight]

Good thing i use linux I only use windows for my games. Keep your shit on HDD and only plug it in when you absolutly need it that way you can just reinstall your OS.

 

[mashers]

I'm not very versed in Mac terminologies, so educate the un-wise in the difference between "Time Machine" and "Time Capsule"? Is Time Machine kind of like Windows' 'Shadow Copies' and "Time Capsule" an external backup? Because the article says that unfortunately it also encrypts Time Machine backups.

I don't know anything about the Windows terminology so I can't compare. But I'll define them. 'Time Capsule' is the hardware. It's essentially a plug-and-play NAS which can also operate as a wireless router. 'Time Machine' is the software component which runs on the Mac. It performs hourly incremental backups, manages the maintenance of the backup history, and provides the user interface for accessing the backed up files.

I'm assuming that the trojan encrypts Time Machine backups in the same way as other volumes. The /Volumes directory in the Mac filesystem is like /mnt in Linux - it contains the mount points for all external storage devices (and, in fact, the boot device as well). It would be pretty stupid to have your Time Capsule mounted permanently (thus with a mount point folder constantly in /Volumes). The Time Machine software automatically finds the Time Capsule on the network, mounts it, performs the backup and then unmounts it. Presumably the trojan could carry out the encryption while the backup is in progress, however. I've actually got a spare Time Capsule I've been meaning to set up, so I might connect it up and do a full backup onto it to keep offline and just update it periodically.

 

[Pedeadstrian]

Good thing i use linux I only use windows for my games. Keep your shit on HDD and only plug it in when you absolutly need it that way you can just reinstall your OS.

Or just, you know, don't download shady crap or have annoying friends like @DarkFlare69 does.

 

[FAST6191]

RAID is not backup and data that does not exist offline in more than one location does not exist. That is how you really need to play such things if you care.

 

[tHciNc]

This is why I love my Time Capsule. Restore the file in seconds, then kindly tell the ransomers to fuck off.

Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
Be interesting to see if it actually works if and when infected computers get encrypted

 

[mashers]

Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
Be interesting to see if it actually works if and when infected computers get encrypted

Yeah, @Sicklyboy mentioned that. See my reply above

 

[Bubsy Bobcat]

So much for "Macs can't get infected". S:^)

 

[Xenon Hacks]

So much for "Macs can't get infected". S:^)

I think you need a hair cut

 

[mashers]

So much for "Macs can't get infected". S:^)

Well, if you execute something and type in the administrator password then anything can be infected.

 

[ihaveahax]

Well, speaking of...

http://researchcenter.paloaltonetwo...ted-transmission-bittorrent-client-installer/

from /r/netsec

something that's interesting is that if you got 2.90 from the site, it had the ransomware, but using the updater with the program was clean. I wonder how that happened...

 

[GeneralSmiley]

Interesting, I actually did update to that version (fortunately through the app instead of the site) then rolled back as my site did not recognise it as an accepted client yet. I wonder how it is able to circumnavigate OS X permissions, altering the user folder should require root but Transmission should only be running in userland.

 

[mashers]

something that's interesting is that if you got 2.90 from the site, it had the ransomware, but using the updater with the program was clean. I wonder how that happened...

The built-in updater must use a different server, perhaps pulling a diff from GitHub or MacUpdate to reduce the size of the download.

--------------------- MERGED ---------------------------

I wonder how it is able to circumnavigate OS X permissions, altering the user folder should require root but Transmission should only be running in userland.

Well, the user normally has administrator privileges and access to sudo. So the installer could run a shell script which runs 'sudo su', feeds in the password entered by the user ostensibly to install the client, and then runs the command to install the trojan as root. The trojan runs as a kext so runs as root anyway.