CRYPTOWALL 3.0 Attack on OSX server

Started by pspdfppdfxhd, January 22, 2015, 08:57:47 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

pspdfppdfxhd

As if we weren't having enough enough problems around here updating rip, operating systems and programs,.....

On monday, I noticed on our mac server that a whole bunch of files were created in each folder within a couple of folders like: HELP_DECRYPT.HTML.... there were 4 in each folder I opened and when I tried to copy the files over the network, it said they were damaged.

Luckily we had a backup where the files were ok so were able to retrieve the data. It's the virus that asks for 500 dollars to get the key to de-crypt your files.

When we started up the OLD computer that the rip was on, a screen came up saying the whole computer was locked and we had to pay 500 bucks to get the key. Luckily, the NEW computer running the new rip was OK and we've been using that to make plates. I talked to our IT guy and he said to get the infected computer off the network immediately. This happened monday and as of yet see no other problems.

Really scary, I had no idea that this thing could spread from a Mac to a PC (or vice versa) like this?

Anyone else run into this?


Farabomb

Yup, on my personal laptop and the boss's. On mine I was able to recover through safemode without any loss of data. On the boss's I didn't care enough to try and reformatted. His computer was a clean as a $.50 whore anyway, this just gave me an excuse to wipe it.

As far as Mac goes, I can't help but just becasue it says your files are encoded/whatever doesn't mean they actually are.
Speed doesn't kill, rapidly becoming stationary is the problem

I'd rather have stories told than be telling stories of what I could have done.

Quote from: Ear on April 06, 2016, 11:54:16 AM
Quote from: Farabomb on April 06, 2016, 11:39:41 AMIt's more like grip, grip, grip, noise, then spin and 2 feet in and feel shame.
I once knew a plus-sized girl and this pretty much describes teh secks. :rotf:
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
         â€”Benjamin Franklin

My other job

pspdfppdfxhd

No, we got them back from a clean backup but the infected folders were toast, along with the OLD rip computer. We were running the OLD rip at the time because of issues with the NEW  rip computer. Luckily, we figured out most of the issues and have whacked out about 57 sets of plates on the NEW computer.



David

your mac can be used as a spreader of a virus. You can take an infected file and download/copy it to your mac, then to a PC and voila! Instant crap hole!
Prepress guy - Retired - Working from home
Livin' la Vida Loca

Joe

Quote from: pspdfppdfx on January 22, 2015, 08:57:47 AMAs if we weren't having enough enough problems around here updating rip, operating systems and programs,.....

On monday, I noticed on our mac server that a whole bunch of files were created in each folder within a couple of folders like: HELP_DECRYPT.HTML.... there were 4 in each folder I opened and when I tried to copy the files over the network, it said they were damaged.

Luckily we had a backup where the files were ok so were able to retrieve the data. It's the virus that asks for 500 dollars to get the key to de-crypt your files.

When we started up the OLD computer that the rip was on, a screen came up saying the whole computer was locked and we had to pay 500 bucks to get the key. Luckily, the NEW computer running the new rip was OK and we've been using that to make plates. I talked to our IT guy and he said to get the infected computer off the network immediately. This happened monday and as of yet see no other problems.

Really scary, I had no idea that this thing could spread from a Mac to a PC (or vice versa) like this?

Anyone else run into this?

You got this on a Mac? Everything I've seen about this is that it only affects Windows. But it is real. Once your files are encrypted the only way to get them back is to pay. Don't pay and your data is toast. I hope the fuckers that created this burn in hell.
Mac OS Sonoma 14.2.1 (c) | (retired)

The seven ages of man: spills, drills, thrills, bills, ills, pills and wills.

Joe

QuoteHow does it infect a computer?

The infection process, as stated previously, is pretty standard for a virus. However, once it gets a hold of the host computer, it begins by establishing a network connection to random servers, where it uploads connection information like the public IP address, location, and system information including OS.

Next, the remote server will generate a random 2048-bit RSA key pair that's associated with your computer. It copies the public key to the computer and begins the process of copying each file on its pre-determined list of supported file extensions. As a copy is created, it's encrypted using the public key, and the original file is deleted from the hard drive.

This process will continue until all the files matching the supported file types have been copied and encrypted. This includes files that are located on other drives, such as external drives and network shares -- basically, any drive that's assigned a drive letter will be added to the list. Also, cloud-based storage that stores a local copy of the files on the drive will be affected, and changes will propagate to the cloud as the files are changed.

Finally, once the encryption process has completed, CryptoWall will execute some commands locally to stop the Volume Shadow Copy Service (VSS) that runs on all modern versions of Windows. VSS is the service that controls the backup and restoration of data on a host computer. It also controls file versioning, a feature introduced in Windows 7 that keeps histories of changes made to files. The file may be rolled back or restored to a previous version in the event of an unintended change or catastrophic event that causes the integrity of the file to have been modified. The command run by the virus stops the service altogether and also adds the command argument to clear/delete the existing cache, making it even more difficult to recover files through versioning or system restore.

Mac OS Sonoma 14.2.1 (c) | (retired)

The seven ages of man: spills, drills, thrills, bills, ills, pills and wills.

Farabomb

Quote from: Joe on January 22, 2015, 10:21:08 AM
Quote from: pspdfppdfx on January 22, 2015, 08:57:47 AMAs if we weren't having enough enough problems around here updating rip, operating systems and programs,.....

On monday, I noticed on our mac server that a whole bunch of files were created in each folder within a couple of folders like: HELP_DECRYPT.HTML.... there were 4 in each folder I opened and when I tried to copy the files over the network, it said they were damaged.

Luckily we had a backup where the files were ok so were able to retrieve the data. It's the virus that asks for 500 dollars to get the key to de-crypt your files.

When we started up the OLD computer that the rip was on, a screen came up saying the whole computer was locked and we had to pay 500 bucks to get the key. Luckily, the NEW computer running the new rip was OK and we've been using that to make plates. I talked to our IT guy and he said to get the infected computer off the network immediately. This happened monday and as of yet see no other problems.

Really scary, I had no idea that this thing could spread from a Mac to a PC (or vice versa) like this?

Anyone else run into this?

You got this on a Mac? Everything I've seen about this is that it only affects Windows. But it is real. Once your files are encrypted the only way to get them back is to pay. Don't pay and your data is toast. I hope the fuckers that created this burn in hell.

Again, I got the screen saying I had to pay, pulled it off the network and booted into safe mode and recovered everything. Maybe I got lucky.
Speed doesn't kill, rapidly becoming stationary is the problem

I'd rather have stories told than be telling stories of what I could have done.

Quote from: Ear on April 06, 2016, 11:54:16 AM
Quote from: Farabomb on April 06, 2016, 11:39:41 AMIt's more like grip, grip, grip, noise, then spin and 2 feet in and feel shame.
I once knew a plus-sized girl and this pretty much describes teh secks. :rotf:
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
         â€”Benjamin Franklin

My other job

Joe

There are variants that do not actually encrypt the files. If you get the real cryptowall you won't be able to recover them unless you have clean backups...or pay.
Mac OS Sonoma 14.2.1 (c) | (retired)

The seven ages of man: spills, drills, thrills, bills, ills, pills and wills.

mattbeals

Untangle UTM systems are worth it. They can help filter the email, web pages, ads, downloaded files, FTP files, etc. for viruses. Doesn't eliminate the threat, but it will help mitigate the threat.

I would run an audit of some sort to figure out how the virus was introduced into the network. Glad you were able to recover.
Matt Beals

Everything I say is my own personal opinion and has nothing to do with my employer or their views.

pspdfppdfxhd

Quote from: Joe on January 22, 2015, 10:21:08 AM
Quote from: pspdfppdfx on January 22, 2015, 08:57:47 AMAs if we weren't having enough enough problems around here updating rip, operating systems and programs,.....


yep, came in from the pc and wandered into our mac server and took over 2 of the 14 folders in the top directory

On monday, I noticed on our mac server that a whole bunch of files were created in each folder within a couple of folders like: HELP_DECRYPT.HTML.... there were 4 in each folder I opened and when I tried to copy the files over the network, it said they were damaged.

Luckily we had a backup where the files were ok so were able to retrieve the data. It's the virus that asks for 500 dollars to get the key to de-crypt your files.

When we started up the OLD computer that the rip was on, a screen came up saying the whole computer was locked and we had to pay 500 bucks to get the key. Luckily, the NEW computer running the new rip was OK and we've been using that to make plates. I talked to our IT guy and he said to get the infected computer off the network immediately. This happened monday and as of yet see no other problems.

Really scary, I had no idea that this thing could spread from a Mac to a PC (or vice versa) like this?

Anyone else run into this?

You got this on a Mac? Everything I've seen about this is that it only affects Windows. But it is real. Once your files are encrypted the only way to get them back is to pay. Don't pay and your data is toast. I hope the fuckers that created this burn in hell.