Infected with Mac ransomware, but I caught it - next steps?
March 9, 2016 9:32 AM   Subscribe

I was one of the 6,000 unlucky souls to download the KeRanger ransomware virus for Mac. It seems that I caught it after it started to encrypt my files, but before it encrypted all of them. Am I still at risk? Next steps?

I downloaded the KeRanger virus through the Transmission update, and then I must have caught it mid-file encryption, as it seems the only files that it encrypted were the contents of my desktop (and all folders contained therein). I followed the instructions here to get rid of it:

-I deleted the file /Applications/Transmission.app/Contents/Resources/ General.rtf

-I terminated the “/Users//Library/kernel_service” process in Activity Monitor

-I think I deleted the kernel_service process as well (I don't remember - if I didn't delete it, it's because I couldn't find any of the kernel processes listed in the article).

-I downloaded and ran the updated version of Transmission which is supposed to take care of the virus as well.

The timing of this seems really crazy, as from my understanding, the virus should have encrypted all of the files on my computer, whereas the only encrypted files that I've found are the ones on my desktop (along with a .txt file containing instructions on how to decrypt). But in tracing back the timing, I might have literally caught it at the 3-day mark. The only other thing that I've noticed that seems awry was a notification from iTunes when connecting my iPhone that let me know that the computer was no longer authorized, and asking me to reauthorize it.

Here are my questions:

-I have a relatively recent backup (a couple of weeks ago). It would be simpler to pull the unencrypted files from the backup onto my current computer, than to transfer the files created since backup on my computer to a previous iteration. Can I rely on the relative safety of my computer at this point? I would prefer to do this if my computer is safe, but if need be, I can restore from an older version, and transfer my newer files to that.

-I'm currently traveling till the weekend, and don't have my backup hard drive with me. Is there anything pressing that I need to do before I get home?

-Are there any other security concerns that I'm not seeing in the publications on the virus? Identity theft, and things of that nature?

-Any recommendations for a Mac antivirus software that I can download to do a quick final sweep and make sure I've caught everything?

Thanks!
posted by rock'em sock'em puppets to Computers & Internet (3 answers total) 5 users marked this as a favorite
 
Sorry to hear you were hit by this.

1. In your shoes, I'd sleep a lot more soundly if I nuked the drive and restored from backup. If some miscellaneous system or application support data was encrypted deep in the bowels of the system it may not be immediately evident, but could cause wonky behavior down the road. Best to get a clean slate if possible. Individual files you've changed since the last full backup can be copied to a second location (burned to disc, copied to thumb drive, moved to dropbox, etc), then restored manually after you've restored the whole drive.

Please, please, please double-check your backup is good before erasing anything!

Assuming the backup is via Time Machine: To nuke and restore, you'll want to boot from the Recovery partition (hold Command-R during boot) and use Disk Utility to erase the internal drive. Then quit Disk Utility, and restore from Time Machine while still on the Recovery partition.

2. I can't think of anything pressing you need to do between now and this weekend -- just keep careful track of any files you're touching that will be newer than what's on the backup so you can set them aside if you opt for the nuke-and-pave. If you're worried about any of your data going out over the wires you might install Little Snitch as a precaution.

3. Like you, I haven't heard of any identity theft or other secondary concerns outside the ransom-demanding stuff. However this garbage tends to mutate in the wild and it's hard to know if you picked up the exact "strain" as the next guy. I'd advise standard precautions against this sort of thing (close eye on bank info, change passwords, etc).

4. Some research has led me to settle on Avira as the best all-around antivirus for Mac for general use, it's slick and doesn't crush your computer's general performance the way Sophos and some of the others do. On-demand scans from Malwarebytes augment that really well too.

Good luck!
posted by churl at 10:38 AM on March 9, 2016 [3 favorites]


Thank you! How do I double-check that the backup is good?
posted by rock'em sock'em puppets at 11:43 AM on March 9, 2016


Great question! Unfortunately there's nothing that 100% guarantees your backup integrity (short of actually fully restoring from it), but due diligence should include A: running Disk Utility's "first aid" against the backup drive and making sure nothing in red appears, and B: a jaunt through the folders themselves on the backup in the Finder to observe your most important files actually open to a double-click / aren't being omitted for some reason / etc. If you're using Time Machine you can use the "Latest" folder alias at the root of the drive. Your stuff is in /Users/yourname.

If you happen to have TechTool or an equivalent 3rd-party utility, you can surface scan the external drive to check for bad blocks, though expect it to run overnight at least. Or if you wanted to go for the extreme, you could do a fresh backup to a different drive as a safety net if the restore goes south. These are overboard for most situations but, hey, you're the only one really in the position to evaluate your time/budget vs the value of your data. (It's more than I'd do, but note that I'm a crazy person and keep 3 backups going concurrently.)

Overwhelming likelihood is your backup is good if it appears good in the Finder. But in the rare case that a key file lands on a bad block, Time Machine's incremental backups don't save you since subsequent snapshots of unchanged files just hardlink to the original instance on the backup. I wouldn't worry too much about that, though; as far as bum backups go, "the drive was physically bad in a non-obvious way" is way less likely than "oops I thought I'd backed everything up to this drive but I misremembered" — double-check the latter and you should be fine.
posted by churl at 10:11 PM on March 9, 2016 [2 favorites]


« Older Automated system for nonprofit membership cards?   |   Ebay item sold for higher than expected. Newer »
This thread is closed to new comments.