Cryptowall (Help_Decrypt virus) in iCloud

Unless your mother was running Windows on her Mac, what you describe is entirely impossible. Help_Decrypt (CrytoWall 3.0) is Windows only malware. It may have thrown a pop-up on the screen via her web browser, but that's all it could do. So no, the "virus" (And also, no, it's not a virus of any kind. It's ransomware) couldn't have spread anywhere. Not on her Mac, iCloud data, or anywhere else.

I checked many sources, and all note that it is Windows only. The file that starts the process is vssadmin.exe. An .exe file is a Windows program and cannot run directly in OS X in any way.

There are a few conflicting notes around the web. A couple (one of them Dell, of all sources) say that CryptoWall has been written to infect 64 bit operating systems, so can affect both Windows and OS X. Which is pure baloney. Just because OS X is 64 bit doesn't mean Windows software can run on it. That is literally impossible. The National Vulnerability Database shows how it infects a system, and which ones. Notice that they are all versions of Windows.

Here's what likely happened. The is the best notice I've found on how CryptoWall 3 works. Your mom likely had Java installed on her Mac and enabled for her browser. That allows the Java portion of the email attachment to get started (as a related note, they are distributed as fake resume emails). As part of the process, it displays a dire HTML page noting that your computer has been encrypted and you need to pay an extortion fee to get your data back. Which brings us back to vssadmin.exe. It can't perform that part at all. Meaning it didn't get any further than tossing the HTML page on the screen. All you really had to do was close the browser and disable Java for the web so you'd never see this kind of thing again.

All you have to do is reinstall OS X, and restore your last backup.

This problem has nothing to do with "viruses," which don't exist.

Please back up all data, then open the iCloud pane in System Preferences. If the box marked iCloud Drive is checked, uncheck it and confirm. Your iCloud documents should be preserved on Apple's servers.

Test to see whether there's an improvement, then re-check the box and test again. It may take a noticeable amount of time for your iCloud Drive documents to resynchronize.

Since she does have an iCloud backup, follow Linc's steps, first.

Kurt and Linc, you're talking about this being Win only, how then it knows the way around mac platform? How come it managed to slot itself into mutliple folders inside the Library folder? While the affected mac had Windows installed via VWMare, none of the shared folders included mac Library.

Also on the side note, certain aspects of the mac side don't work properly, everytime I try to open Security & Privacy, it keeps closing System Preferences.

how then it knows the way around mac platform?

There is no evidence of that in the initial post. Just lots of speculation based on a scam web page appearing on their Mac. Read the links I posted. It's Windows ONLY malware. It can't do anything to a Mac.

I don't know where some writers are getting the idea it can infect a Mac, but it's still 100% wrong. I looked again and found this site, making the same claim that it can infect both Windows and Macs. If you follow the link in that short paragraph, it takes you to Dell's website where it describes how it works. All .exe files. Windows programs, that once again, cannot in any way work in OS X.

The site noting by the author of this topic may have had the criminal site download the .exe files to their Mac through Java, but it's still meaningless since it cannot run.

Another site says their OS X server was infected with a cryptolocker.html file. Uh, that's not any kind of infection. It's just an .html file that would pop up in user's browser claiming their computer is infected.

And yet another site here making the same statement that it affects Windows and newer versions of OS X. And like all of such sites I've found, they don't mention one thing that proves their assertion that OS X can be affected.

I guess the main question is, why are you bringing this up again?

I'm bringing this up, as I have friends Macbook in front of me with 69 folders, each containing 4 HELP_Decrypt files. None of these folders appear on Windows platform, they're all in Mac folders. Majority in the Library/Containers folder.

Affected are PDF, text files, image files none of which open anymore. Also affected is Securty & Privacy in System Properties that crashes everytime you open it.

So what I'd like to figure out is how this came about, especially on the fact that Windows on WMWare were not used for borwsing/opening emails. Also only certain folders have been shared in VMWare, however Library/Containers was NOT shared.

1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.

The test works on OS X 10.8 ("Mountain Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.

Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.

2. If you don't already have a current backup, please back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.

There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.

You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.

In this case, however, there are ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone who understands the code can verify what it does.

You may not be able to understand the script yourself. But variations of it have been posted on this website many times over a period of years. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.

Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.

4. Here's a general summary of what you need to do, if you choose to proceed:

☞ Copy the text of a particular web page (not this one) to the Clipboard.

☞ Paste into the window of another application.

☞ Wait for the test to run. It usually takes a few minutes.

☞ Paste the results, which will have been copied automatically, back into a reply on this page.

These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.

5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is intermittently slow, run the test during a slowdown.

You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual before running it. If you can only test in safe mode, do that.

6. If you have more than one user, and only one user is affected by the problem,, and the affected user is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.

7. Load this linked web page (on the website "Pastebin.") Press the key combination command-A to select all the text, then copy it to the Clipboard by pressing command-C.

8. Launch the built-in Terminal application in any one of the following ways:

☞ Enter the first few letters of its name ("Terminal") into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.

9. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.

If the test is taking much longer than usual to run because the computer is very slow, you might be prompted for your password a second time. The authorization that you grant by entering it expires automatically after five minutes.

If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

10. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:

Test started

Part 1 of 4 done at: … sec
…
Part 4 of 4 done at: … sec

The test results are on the Clipboard.

Please close this window.

The intervals between parts won't be exactly equal, but they give a rough indication of progress.

Wait for the final message "Please close this window" to appear—again, usually within a few minutes. If you don't see that message within about 30 minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it. Then go to the next step. You'll have incomplete results, but still something.

In order to get results, the test must either be allowed to complete or else manually stopped as above. If you close the Terminal window while the test is still running, the partial results won't be saved.

11. When the test is complete, or if you stopped it manually, quit Terminal. The results will have been saved to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "close this window" message. Please wait for it and try again.

If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

12. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the software that runs this website. Please post the test results on Pastebin, then post a link here to the page you created.

If you have an account on Pastebin, please don't select Private from the Paste Exposure menu on the page, because then no one but you will be able to see it.

13. When you're done with the test, it's gone. There is nothing to uninstall or clean up.

14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.

15. The linked UNIX shell script bears a notice of copyright. Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

Linc, if I understand correctly, you would like me to run a test on the infected mac. My main concern is that I've not connected that machine to my local network and therefore the internet, purely out of precaution, as there are both PCs and Macs on the network. And whatever it is on that machine, I don't trust it without finding out a bit more.

If you could perhaps explain a bit more, what this script that you mentioned in your post does, or what can it show, I'll be able to make an informed decision if it is worth connecting that machine back to internet.

I'm bringing this up, as I have friends Macbook in front of me with 69 folders, each containing 4 HELP_Decrypt files. None of these folders appear on Windows platform, they're all in Mac folders. Majority in the Library/Containers folder.

Thomas Reed noted this about such files on a Mac:

Your Mac has not been infected with anything. However, it looks like that external storage device has been used with a Windows computer that is infected with the CryptoWall malware. If that is correct, you will need to figure out what Windows device is infected and make sure to get it cleaned up. In addition, from what I understand about CryptoWall, the data on the affected drive is now trashed... hopefully you have backups of that data!

Affected are PDF, text files, image files none of which open anymore. Also affected is Securty & Privacy in System Properties that crashes everytime you open it.

What may have happened is a server running Windows is infected and it managed, somehow, to encrypt your Mac data from the server. I say this because despite various sites claiming this ransomware can infect "newer" Macs, not one of them explains how.

Edit: Actually, now seeing your response to Linc, you likely have an infected Windows computer on your network that caused your Mac files to be encrypted by it. So the correct way for these sites to explain it is no, the Mac itself cannot be infected by Cryptowall, but a network connected Windows computer that is infected can encrypt the files it finds via sharing. And that would still be a darn good trick since Windows cannot natively write to, or even read a Mac formatted drive. It would either have to be an infected Windows server, or a network connected Windows computer with software such as Paragon HFS on it, which will then allow Windows to access a Mac formatted drive.

Be sure to follow Linc's steps. It may help to uncover the cause.

First, as I wrote earlier, you should not run the script unless you can satisfy yourself that it's safe. I suggested some ways to do that.

If you're asking why I suggested running it, it's because it may reveal whether the computer is infected with some unknown malware, as you seem to suspect. I'm taking your suspicions at face value.

The code is public and the output is readable. Apart from that, I don't share information about what it does. No one but myself needs to know, since the output is meant to be used only by me. Those to whom I suggest running it only need to know what the script doesn't do.

It doesn’t directly create, delete, or modify any files. Running it will indirectly cause the operating system to leave slight traces in log files, and perhaps in some temporary files that will eventually be deleted or overwritten. Those events are all part of normal system operation and will happen anyway, whether you run the script or not.

The script doesn’t send or receive any data on the network.

The output is placed on the Clipboard on exit, where it will stay until the user overwrites it or logs out. Otherwise the script leaves no trace in memory after the Terminal window has been closed.

By virtue of all the above, merely running the script will not change the way the computer works at all, nor will it reveal anything that you don't choose to reveal.

Kurt, I don't quite get what server running Windows you have in mind? The Windows is installed on the harddrive via VMWare Fusion. there is external storage, but was supposedly not used for longer period (as in months before the appearance of ransomware). Thus I'm currently of stand point that it is still clean. Hoewever, just out of precaution as I don't have another sandboxed machine, I'm not willing to plug it into my working machine, just in case it is infected, or on the other hand not willing to plug it to the "infected" mac, just in case it is still clean.

The idea was to find out as much as I can about why it happened and how in order to prevent as much as possible future exposure to malware/ransomware, and then wipe the infected Mac, install fresh version of OSX and then try the external storage to see if that is in fact infected too.

Linc, I'm not worried about your script, I've seen you help many people on these forums. What worries me is connecting the infected mac to the local network in order to get your script and test it as you described in your guide.

Kurt, I don't quite get what server running Windows you have in mind?

I was making possible assumptions as to the cause.

Windows in a VM is still Windows and the Windows OS can be infected by anything a stand-alone Windows computer can be. How it managed to encrypt data on the Mac portion of the drive is interesting, if that is the case. But then, part of the function of VM software is to allow the user to move files from one OS to the other via the desktop. So having the VM installed may have given Windows the ability to both read and write the Mac formatted data, though it's not supposed to be able to do that. The Windows environment is supposed to be isolated.

The script is a very large text file. You could retrieve it from any other computer and bring it over to your Mac on a flash drive.

You don't have to connect the affected machine to the network. You can copy the script to a plain text file and transfer that file to a storage device such as a USB flash drive. Mount the drive and proceed with Step 7 as if you had loaded the web page with the text. You will then have to copy the output to the drive and mount it on another machine that is connected to the network. If you're concerned that some kind of infection will be transmitted that way, erase the internal drive of the connected machine and restore from a backup.