Q: Cryptowall (Help_Decrypt virus) in iCloud

Well, there are 7 shared folders in the VMWare settings. I have omitted part of names due to privacy issues.

From the main(primary) HDD:

- HDD-01/Users/b....

- HDD-01/Users/b..../Desktop

From the secondary HDD:

- HDD-02/Documents on B..../P letters/15 D... road

- HDD-02/Documents on B..../J.../Ar.../351-E...

- HDD-02/Documents on B..../Ref..../A... cars

- HDD-02/Documents on B..../J.../Ar.../300-A.../300-T.../Door Window

- HDD-02/Documents on B..../J.../Ar.../300-A.../300-D.../In progress

Does this help you in any way? Or were you looking to get something else?

Btw. I just found more folders infected in the /Users/B.../Library and its subfolders, they didn't show up on the Finder search.

After second look, It seems that it travels down the hierarchy and not up. It can't go through Alias-es. It went for PDFs, TXTs, Docs, Excel, .mov, .jpg, CAD (.dwg), some .xml, .db, .sqlite, .js, some .plists. It also seems to not go for all image files, it completely ignored one folder full of PNGs.

Hello again Shawody,

I think the confusion may have been due to the way you were searching for files. Those symbolic links inside the ~/Library/Containers folders just point to other folders in the user's home directory. That probably isn't the route the ransomware took. That is the route that your search took. You were sharing the user's home directory and a number of folders on a server. Any file in any of those folders, or any subfolder therein, could have been affected.

Hi Etresoft,

Nah, that is not the route my search took. The search I made was in Finder for all files named HELP_DECRYPT in "This Mac". It showed everything, except files in Photos Library Database and almost all /Library subfolders (for some reason the only folder inside the /Library that showed among results was /Library/Containers, that's why I knew about it).

But I do agree that ransomware trickled down from /Users/B.... folder. I don't understand though why it left some folders intact, when encrypting all around it.

Is there anything else we can find out from this case? If not, I'll get on with reformatting and setting it up again. :/

Hello again Shawody,

In that case, you may not know the route your search tool. If you used the Finder, you would have used Spotlight. Spotlight only looks for user documents. I'm surprised it would have reported anything in those Containers folders at all. You may have other encrypted files on the hard drive that Finder did not tell you about.

Hi Etresoft,

What would be a better search then to find all the files?

I went and manually checked each and every folder (hidden and non-hidden) and made an excel spreadsheet with all the folders (if anybody is interested I can paste the whole thing here). The amount is a staggering 323 (+/- few) folders!! All on Mac, and none, I mean literally 0 (zero) folders on Windows platform.

While I do follow the logic that it seems to have spread from Windows, purely on the basis of the main folders affected were the ones directly shared in VMWare and that it then spread down the hierarchy of certain subfolders, depending on their content, however, it didn't seem to spread up the hierarchy. I do struggle to see why no Windows folders were affected.

Also looking through all the folders just now, it seems to randomly skip certain folders, although it contains similar files that are encrypted in others. PNG files seem to be exempt and I do wonder if that is because one of the HELP_DECRYPT files is a PNG file.

Hello again Shawody,

The only guaranteed way to find files is with the "find" command line tool.

Is it possible that extensions are being hidden in Windows? Or in some folders on the Mac? That is another unfortunate complication.

These ransomware tools can't encrypt every single file at once. They have to go through the hierarchy. The order in which they search is not always predictable.

Hey etresoft,

I tried the "find" command line tool and it found pretty much the same amount of files as my manual search through each folder. I seemed to have counted couple of files twice and got 323 (309 after some sorting), whereas "find" command found 299. Not far off.

Regarding extensions, they're not hidden on the Mac, but on the Windows some most known ones (PNG, TXT) are hidden, while database (.sqlite, etc) are not. Are you asking because of the search or because of how the ransomware encrypted files? Just for info, I never did a search using extensions, only by the file name.

Well, according to the creation date/time stamp this is how it roughly went down the hierarchy:

- started in the Desktop [shared with VMWare],

- then Downloads [not shared],

- then some of the Libary [not shared],

- /Users/b.... [shared],

- then other part of the Library [not shared],

- Pictures folder [not shared],

- then the shared folders that were on the secondary HDD [only the shared ones and anything in those subfolders].

So I guess it is unpredictable in a sense, but if you go 9 subfolders deep in certain places, and in the other place only go 5 subfolders deep and leave folders full of (PNG) images intact is a bit of a strange coincidence in my opinion.

Hello again Shawody,

The OS X file hierarchy can be confusing. Plus terminal commands are very picky. One character can make all the difference. Without knowing exactly what command you ran and exactly where, I can't comment on any discrepancy in the counts.

The path that "find", or the ransom ware, took trough your file system can also be confusing. Don't be fooled by the modification times on the files. That doesn't mean anything. It is impossible to go from Desktop to Downloads. It would have had to start at an ancestor that is common to both. Plus, those container folders have links going in the opposite direction. And, a well crafted ransomware would do a depth-first traversal to avoid detection for as long as possible. PNG files are not likely to be valuable, so I can understand why those would be skipped.

Just found some more info and I can now confirm with certainty that it indeed spread from Windows side, as I found RSA Crypto public key. How, or through what method the payload was delivered is still unknown unfortunately.