Mac ransomware

Discussion in 'General Off-Topic Chat' started by leafeon34, Mar 7, 2016.

  1. leafeon34
    OP

    leafeon34 GBAtemp Advanced Fan

    Member
    611
    335
    Sep 30, 2014
    On Facebook there's been a trending article today about the first known ransomware for Mac computers. Some of the files on the computer get encrypted and you have to pay the hackers 280 pounds to access them again.

    My questions are, why not just pay the money and then ask your credit card company to do a chargeback or reverse the transaction? Wouldn't it be easy for the guys doing this to be traced when they try to spend or withdraw the money?

    And if you're wondering, yes, I am a tech retard.
     
  2. Touko White

    Touko White (not)Banned

    Member
    687
    1,458
    Jan 12, 2016
    United Kingdom
    How can you get infected by this? Is it through downloading crap software, or are there other ways to catch it, as well?
    I don't need to lose my passwords.
     
  3. Xenon Hacks

    Xenon Hacks GBAtemp Guru

    Member
    7,124
    3,422
    Nov 13, 2014
    United States
    Most if not all of the time people pay but no unlock happens.
     
    Bubsy Bobcat likes this.
  4. Sicklyboy

    Sicklyboy Resident Mechanical Keyboard Addict

    Global Moderator
    5,736
    4,737
    Jul 15, 2009
    United States
    [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]
    They also usually want it through Western Union or disposable credit gift cards, so nigh impossible to get chargebacks on those
     
  5. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,856
    9,758
    Nov 21, 2005
    United Kingdom
    Originally they would ask for it via some hard to follow method like Western Union, the more recent stuff uses bitcoins. Easy to trace methods are avoided for the reasons you mention.

    Got any kind of data? Kidnapping and ransoms there do work better when as a trend the people do come home. I have not read any kind of analysis of people paying the scammers though.
     
  6. Sicklyboy

    Sicklyboy Resident Mechanical Keyboard Addict

    Global Moderator
    5,736
    4,737
    Jul 15, 2009
    United States
    [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]
  7. mashers

    mashers Stubborn ape

    Member
    3,837
    5,157
    Jun 10, 2015
    Kongo Jungle
    This is why I love my Time Capsule. Restore the file in seconds, then kindly tell the ransomers to fuck off.
     
    Raylight likes this.
  8. Sicklyboy

    Sicklyboy Resident Mechanical Keyboard Addict

    Global Moderator
    5,736
    4,737
    Jul 15, 2009
    United States
    [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]
    I'm not very versed in Mac terminologies, so educate the un-wise in the difference between "Time Machine" and "Time Capsule"? Is Time Machine kind of like Windows' 'Shadow Copies' and "Time Capsule" an external backup? Because the article says that unfortunately it also encrypts Time Machine backups.
     
  9. Raylight

    Raylight Paranoid Temper

    Member
    988
    359
    May 10, 2014
    United States
    Who wants to know?
    Good thing i use linux I only use windows for my games. Keep your shit on HDD and only plug it in when you absolutly need it that way you can just reinstall your OS.
     
    Last edited by Raylight, Mar 7, 2016
  10. mashers

    mashers Stubborn ape

    Member
    3,837
    5,157
    Jun 10, 2015
    Kongo Jungle
    I don't know anything about the Windows terminology so I can't compare. But I'll define them. 'Time Capsule' is the hardware. It's essentially a plug-and-play NAS which can also operate as a wireless router. 'Time Machine' is the software component which runs on the Mac. It performs hourly incremental backups, manages the maintenance of the backup history, and provides the user interface for accessing the backed up files.

    I'm assuming that the trojan encrypts Time Machine backups in the same way as other volumes. The /Volumes directory in the Mac filesystem is like /mnt in Linux - it contains the mount points for all external storage devices (and, in fact, the boot device as well). It would be pretty stupid to have your Time Capsule mounted permanently (thus with a mount point folder constantly in /Volumes). The Time Machine software automatically finds the Time Capsule on the network, mounts it, performs the backup and then unmounts it. Presumably the trojan could carry out the encryption while the backup is in progress, however. I've actually got a spare Time Capsule I've been meaning to set up, so I might connect it up and do a full backup onto it to keep offline and just update it periodically.
     
    Sicklyboy likes this.
  11. Pedeadstrian

    Pedeadstrian GBAtemp's Official frill-necked lizard.

    Member
    3,549
    1,573
    Oct 12, 2012
    United States
    Sandy Eggo
    Or just, you know, don't download shady crap or have annoying friends like @DarkFlare69 does.
     
  12. FAST6191

    FAST6191 Techromancer

    pip Reporter
    23,856
    9,758
    Nov 21, 2005
    United Kingdom
    RAID is not backup and data that does not exist offline in more than one location does not exist. That is how you really need to play such things if you care.
     
  13. tHciNc

    tHciNc Total Random

    Member
    853
    178
    Jan 14, 2006
    New Zealand
    Additionally, KeRanger appears to still be under active development and it seems the malware is also attempting to encrypt Time Machine backup files to prevent victims from recovering their back-up data.
    Be interesting to see if it actually works if and when infected computers get encrypted
     
    Last edited by tHciNc, Mar 7, 2016
  14. mashers

    mashers Stubborn ape

    Member
    3,837
    5,157
    Jun 10, 2015
    Kongo Jungle
    Yeah, @Sicklyboy mentioned that. See my reply above :)
     
  15. Bubsy Bobcat

    Bubsy Bobcat sipp

    Member
    1,481
    5,754
    Jul 8, 2015
    Zimbabwe
    So much for "Macs can't get infected". S:^)
     
    CIAwesome526 likes this.
  16. Xenon Hacks

    Xenon Hacks GBAtemp Guru

    Member
    7,124
    3,422
    Nov 13, 2014
    United States
    I think you need a hair cut
     
    CIAwesome526 and Bubsy Bobcat like this.
  17. mashers

    mashers Stubborn ape

    Member
    3,837
    5,157
    Jun 10, 2015
    Kongo Jungle
    Well, if you execute something and type in the administrator password then anything can be infected.
     
    Sicklyboy likes this.
  18. ihaveamac

    ihaveamac GBAtemp Guru

    Member
    5,509
    6,105
    Apr 20, 2015
    United States
    Tigard, OR
  19. GeneralSmiley

    GeneralSmiley Advanced Member

    Newcomer
    53
    13
    Oct 10, 2013
    Interesting, I actually did update to that version (fortunately through the app instead of the site) then rolled back as my site did not recognise it as an accepted client yet. I wonder how it is able to circumnavigate OS X permissions, altering the user folder should require root but Transmission should only be running in userland.
     
  20. mashers

    mashers Stubborn ape

    Member
    3,837
    5,157
    Jun 10, 2015
    Kongo Jungle
    The built-in updater must use a different server, perhaps pulling a diff from GitHub or MacUpdate to reduce the size of the download.

    — Posts automatically merged - Please don't double post! —

    Well, the user normally has administrator privileges and access to sudo. So the installer could run a shell script which runs 'sudo su', feeds in the password entered by the user ostensibly to install the client, and then runs the command to install the trojan as root. The trojan runs as a kext so runs as root anyway.