OSX.KeRanger.A Already Executed

[FranticDesigner]

I know this is a really messed up reason to join a forum for software that I've used ( on and off/infrequently) for the past few years. I'm one of the suckers that downloaded on the 4th after it suddenly came to mind that I hadn't gotten this version on my newer Macbook Pro that I've been using for 18 months.

Got in this evening with the intention of continuing design work, and Adobe CC alerted me to the fact I couldn't sync. I had been busy all weekend, so I had no idea that the file 2 revs back was corrupted. I started doing research to find out what I could do to fix this, including deleting the corrupted version of Transmission and installing the latest.

My results aren't exactly what I expected. After the restart, my entire OS was back to factory defaults. This includes all data/accounts in mail, messages, notes, etc having been erased. However, it seems all of the rest of my files remain although everything is still encrypted. I've spent 4 hours pouring over everything I could find in forums and reports to see how I might rectify this, and nothing. I'm an idiot; a space of time of my work isn't backed up, but even connecting my external HD to revert to my last solid backup in Time Machine won't work - the malware has obviously removed my ability to do so.

Those filthy rats will not get a BC from me, and I'm willing to lose some of my work from the recent past to have this nightmare come to an end. Am I the only jerk that didn't catch this in time? Anybody have any ideas? Any help would be seriously appreciated.

[FranticDesigner]

Thank you so much for the reply!

Sorry for your issues, but more details are needed in order to try to provide help. First, did you get a message from the perpetrator(s) and can you post a screenshot? Have you removed processes and files known to be related to KeRanger.A?

Yes, I did get a ransom note. I noticed it in my download folder in the toolbar just about the same time I got the error from Adobe CC in my notifications. And actually, to say that I got a ransom note isn't truly accurate. There is a note in every file and directory on my computer. I'll include a screen shot.

Did you run v2.92. This is required to benefit from its malware removal code. Did you ever actually run v2.90? It must be run to cause a problem, not just installed.

Perhaps you can help me understand the definition of "run". I did install, and use v2.90 on Friday night to test it out. I installed, and the program is running (v2.92), but I haven't used it to grab a torrent. Does loading a torrent into Transmission = run?

The malware in question does not erase data or change settings. The idea is to extract funds and then unencrypt your data, not erase it, because then there would be no reason to pay.

That was why I was really confused about the all of the rest of my data being gone. The exception of course, is all the files from my CC work, photos, docs and the rest remaining. I wondered if it was to convince me in another way to pay the ransom. It isn't like reloading all that information would be difficult into say, mail.

You may have issues totally unrelated to KeRanger.A. Do you use FileVault to encrypt your disk? Have you had issues with Adobe or other graphics programs before? Which OS are you running?
http://blog.macsales.com/33321-adobe-cr ... el-capitan

I suppose that I am open to that possibility, however I have had no trouble from CC up to this point. Seems wildly coincidental that I would have the issue with CC coinciding with this nonsense with KeRanger.A. Right? Yes, I am running El Capitan, btw.

I don't believe this to be related directly to KeRanger.A's reported capabilities. Does Time Machine mount in /Volumes and can you see its backed-up files?

Yes, Time Machine does mount, and I can also see the backed up files. When I select any of my backups, the button that selects greys out so that the option is no longer available. I attributed it to the malware because of reading that this particular capability was working, blocking users from reverting using Time Machine.

[FranticDesigner]

Screen Shot 2016-03-07 at 10.33.08 PM.png (228.99 KiB) Viewed 9585 times

[FranticDesigner]

I did forget to mention that I believe all elements of the malware have been removed. I checked system monitor for the active kernel, and also searched my directories for the two different things I found from the earlier press releases. Forgive me, I've closed all that.

Perhaps I don't understand how this malware works, but I also assume that it's elements have been removed because the screenshot I just uploaded didn't immediately become encrypted.

One more note that slipped my mind in this madness. Before I trashed v2.90 and installed v2.92, I ran Malwarebytes and the program found the 3 files that I have been seeing screenshots of all over the web this afternoon. I goofed up and didn't immediately come back here.

[FranticDesigner]

I'm willing to accept that the OS reset may have been at my own hand in my haste, and I've come to terms with that. I can import all of those things back into place; no big deal.

That said:
After spending some time away, and upon reflection, I guess this boils down to one thing here. Operating from the assumption that all of the active malware elements are off of my computer, save for the ransom note(s) [54 to be exact] and all of my files still encrypted, am I just out of luck to recover the encrypted files as they were this morning? If that's the case, I will attempt retrieving a backup. Failing that a clean install. For some reason I gave myself the impression that following the protocols that I've read would somehow reverse the encryption and my files would open. If that isn't the case, I'd like to just move on and get back to my work. Any more insight from the collective brain on the forums is greatly appreciated, but I'm not holding out much hope that I can do anything other than rebuild.

Thanks in advance, and thanks again x190 for the reply.

[FranticDesigner]

I apologize. My brain moves in so many different directions that it's difficult to go through predictable progressions.

Yes, I can find my library folder, and I will search out to see that all of the malware is actually removed. Yes, it's true that only the files under my user account were corrupted, but if I'm seeing it correctly, basically any file stored in logical places on the local disc are just subdirectories of my user. Making most everything I would want to access encrypted by the malware.

This last point obviously tied into the previous-I can access files that were stored in the cloud, be it CC or other. Naturally that doesn't help with everything that was stored locally.

We can be blunt here: files on the local HD that were encrypted by the malware are now lost forever, correct? Without the key there is no chance of breaking the encryption to restore the files?

[FranticDesigner]

Thank you for the heads up on searching for restoration tips! I'll do some poking around to see what I can come up with. I did search the library and nothing from the original infection turned up.

As for removing the encryption, yeah, I kinda had a feeling that those files were gone forever. If all else fails, I do understand now why I was having an issue using Time Machine to revert to an earlier restore point, and that is still on the table.

I greatly appreciate your attention and advice on this. I don't usually get tripped up with this junk; you've helped add some clarity on what I'm dealing with.

Cheers!

[bugmenot]

You can try booting from OS X Recovery and restoring the Time Machine backup from there (assuming the the recovery partition has not been damaged by the malware), preferably to another hard drive to preserve the current state, then copy the files to your system. (but a complete restore would be better)
Another option would be just connecting the backup drive to your computer (after completely removing the infection!), going to Computer/<your backup drive's name>/Backups.backupdb/<your computer name> (in Finder) and manually copying your files from there...

[FranticDesigner]

I did eventually decide to just use the migration assistant to install from my last backup point. I thought it went ok initially, but after restarting now the disc won't mount at all. So there's a whole new problem to conquer.

[HackerKitty]

This information probably would not solve your current problem - but at least this tells you the exact nature of this malware:

https://labs.bitdefender.com/2016/03/ke ... x-encoder/
KeRanger Is Actually A Rewrite of Linux.Encoder

>> A closer look at the KeRanger ransomware Trojan reveals that it is actually a Mac version of the Linux.Encoder Trojan.
The infected Mac OS X torrent client update analyzed by Bitdefender Labs looks virtually identical to version 4 of the Linux.Encoder Trojan that has been infecting thousands of Linux servers since the beginning of 2016. <<
<unquote>

The same Bitdefender people found a bug in the previous version of Linux.Encoder and supplied a decoding script:
https://labs.bitdefender.com/2015/11/li ... ption-key/

Unfortunately, this newer version has eliminated this encoding bug and looks like impossible to decode in the same way