 siljalineI'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC
kudos:18 ·Bell Fibe Internet
|
Apple users targeted in first known Mac ransomware campaignReuters cyber-sleuth author Jim Finkle wrote: quote:
Apple Inc (AAPL.O) customers were targeted by hackers over the weekend in the first campaign against Macintosh computers using a pernicious type of software known as ransomware, researchers with Palo Alto Networks Inc (PANW.N) told Reuters on Sunday. [...]
» www.reuters.com/article/ ··· CN0W80VXPalo Alto Networks explains the attack in more detail - » researchcenter.paloalton ··· staller/Tweet from noted Palo Alto researcher Claud Xiao - » twitter.com/claud_xiao/s ··· 55645953 |
|
Aprel
join:2013-09-14
kudos:2 |
Aprel
Member
2016-Mar-7 1:01 am
Summary of the situation: • Transmission is an open-source BitTorrent client for Unix-based systems. •The project's official website was compromised so that it would host a tampered binary for Mac (.dmg file) that contains ransomware. •The ransomware remains in a latent state for 3 days and then encrypts files in the /Users and /Volumes directories. •Victims must follow an .onion URL (Tor-based) and pay 1 Bitcoin (~$400) to decrypt the data. •In response, Apple has blacklisted the certificate used to sign the tampered binary to alert any user that attempts to install it. •The Transmission project has removed the tampered binary from their server and made a commit to the source to attempt to remove the ransomware if still inactive on users' Macs who update to the latest version. Infected version is 2.90. No reports of the ransomware affecting any Unix-based system expect Mac, as it seems that it was deployed only in the Mac's binary. |
|
 dolphinsClean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ
kudos:8 ·Xfinity
|
to siljaline
I see no mention of Apple's FileVault? Is it possible to encrypt that which is already encrypted and locked with a key? Wouldn't ransomware first have to bypass the system keychain and remove all encryption including encrypted backup drives? --
Stop The Mindless Killings, Stop Overfishing |
|
siljalineI'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC
kudos:18 |
to Aprel
ESET has detections in place for KeRanger - » virusradar.com/en/OSX_Fi ··· r/detailOther AV & AS Vendors surely have followed suit. |
|
 DarkLogixTexan and Proud
Premium Member
join:2008-10-23
Baytown, TX
kudos:4 |
to dolphins
said by dolphins:Is it possible to encrypt that which is already encrypted and locked with a key?
I don't see why not. Just end up with multiple layers of encryption (assuming they did it right, otherwise you have trash that's not recoverable.) --
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv
A plan that doesn't scale is a plan to fail. |
|
|
dolphinsClean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ
kudos:8 ·Xfinity
|
dolphins
Premium Member
2016-Mar-7 2:40 pm
said by DarkLogix:said by dolphins:Is it possible to encrypt that which is already encrypted and locked with a key?
I don't see why not. Just end up with multiple layers of encryption (assuming they did it right, otherwise you have trash that's not recoverable.) Maybe I'm misunderstanding what FileVault actually does? I know it blocks access to your data if your computer is physically stolen but I assumed that since it encrypts all data on your drive on-the-fly that malware could only infect your browser? If my understanding is correct then any infection would need my System Keychain Password in order to unlock the data to make changes. I have physical access and can't make any root changes without being prompted for my System password. --
Stop The Mindless Killings, Stop Overfishing |
|
DarkLogixTexan and Proud
Premium Member
join:2008-10-23
Baytown, TX
kudos:4 |
looks like its whole drive encryption » support.apple.com/en-us/HT204837as such it only protects when it's off and once you've logged in then the key is in memory and thus the malware can get to it (IE it's to protect from lost/stolen laptops not malware that you let get loose.) So once you've logged in then the malware is free to encrypt it again. --
semper idem
1KTzRMxN1a2ATrtAAvbmEnMBoY3E2kHtyv
A plan that doesn't scale is a plan to fail. |
|
dolphinsClean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ
kudos:8 |
dolphins
Premium Member
2016-Mar-7 3:08 pm
Yes but any attempt to make system changes prompts me for my password. So would I not see a prompt for password? --
Stop The Mindless Killings, Stop Overfishing |
|
DarkLogixTexan and Proud
Premium Member
join:2008-10-23
Baytown, TX
kudos:4 |
|
|
dolphinsClean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ
kudos:8 ·Xfinity
|
dolphins
Premium Member
2016-Mar-7 3:14 pm
|
|
TheWiseGuyDog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3 |
Think of the malware just like any program, ie a spreadsheet or Word Processor. It can still open a file, alter it and save different data to disk. So it encrypts it, then it saves it to disk, where it is encrypted again via FileVault.
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore. |
|
dolphinsClean Up Our Oceans
Premium Member
join:2001-08-22
Westville, NJ
kudos:8 ·Xfinity
|
dolphins
Premium Member
2016-Mar-7 10:07 pm
As mentioned over in the Apple forum by DarkLogix I assumed FileVault was a type of Sandbox. It makes sense to me now that if I'm logged-on with administrative privileges any infection not caught by AV, firewall, etc would have root access. Since I'm fairly new to OS X the constant prompting for my System Key for any root changes gave me a false sense of security. Thanks for helping to clear it it up though.  --
Stop The Mindless Killings, Stop Overfishing |
|
·
·
