Cryptowall (Help_Decrypt virus) in iCloud

Kurt, was just trying to figure this one out, as it is not computing.

Fair enough, you prevent Windows to see Mac folders by only using USB drive to exchange files. But what if you get malware/ransomware/infection on Windows, and you're not aware of it, when you're saving file back to your USB drive. Would it not then effectively also infect Mac when you're moving files from USB drive??

Would it not then effectively also infect Mac when you're moving files from USB drive??

No, since you've prevented Windows itself from having access to the Mac portions of your computer. The worst that can happen is you'll see Windows malware that has been copied to the flash drive, or (such as in this case) files that were encrypted by Windows malware. But that's it. It would be the same as getting Windows malware in your Mac's email. It's there, but can't do a darn thing to OS X.

Thanks Kurt. I was thinking about that, but wasn't completely sure if that is in fact the case.

Hello Shawody,

Malwarebytes and DetectX ran so quickly because they only check for Mac-specific threats. They aren't like antivirus tools ported from Windows that scan for 10 million Windows viruses and 4 Mac trojans. They were both written by members of Apple Support Communities and are safe and effective. However, they aren't going to remove anything that isn't there. It is true that no anti-malware tool is going to be able to detect zero-day threats. But the sad fact is that most people who have adware or malware problems are usually dealing with 287-day threats that can be easily detected and removed. I don't doubt that your problem was caused by Windows malware and I'm quite sure that it would have been prevented had you been running Windows anti-malware.

It would help if you reviewed exactly what folders were shared. ~/Library/Containers is an unusual place. It would be unusual to have PDF, text files, image files in that location. Could you be more specific about which folders were affected?

Finally, what's the big deal about running LittleSnitch? Half of all Mac users in the world run that.

Hi Etresoft,

Well, there is up-to -date McAfee AV installed on the Windows side. I'll run it again tomorrow and see if that gets anything. Plus I think there was also Malwarebytes or some anti-malware for Win if I'm not mistaken that I downloaded the other day. I'll try run that tomorrow again and see.

Folders in Library/Containers:

- com.apple.weatherkitservice

- com.apple.Photos

- com.apple.Photomoments

- com.apple.Notes

- com.apple.Maps

- com.apple.ncpluginstocks

- com.apple.apple.ical

- com.apple.ibooksX (also in multiple subfolders)

- com.apple.geod

- com.apple.facetime

- com.apple.calendaragent

- com.apple.appstore

No big deal in little snitch. 🙂 I'd say that will prob save more than any other malware/AV for mac.

Hello again Shawody,

Are those the folders that were affected? Or are those the folders that were shared?

Anything in the Containers folder should have only internal files for each sandboxed app. I would not expect any of those folders to have PDF, text, or image files. Any modifications to any of those folders would likely cause the associated app to crash, have some kind of incorrect operation, or perhaps not affect it at all.

Could you provide a directory listing of a sample of the affected files?

No, as far as I can tell the Library/Containers folders have not been shared, at least they're not set in the Sharing folders settings of the VMWare. The only thing common, looking through the Library/Containers subfolders, seems to be the shortcuts to Desktop folder (as well as shortcuts to all other User folders, eg Documents, Pictures, etc.). Desktop folder was affected to some degree and was shared with VMWare.

Other folders that were affected were on both internal harddrives, While some folders have been shared with VMWare, others like Pictures, Downloads and User home folder were not.

Could you please explain what you mean with sample of the affected files? Is it the file extensions you're looking for? If so, they were mainly PDFs, DOCs, Excel, Powerpoint, CAD. None of which open, it just says the files are invalid.

Actually, I just found tons more affected folders. :/ It nested itself into the Photos Library database. I just got curious and looked inside the database and found files that search in Finder did not show. To paint the picture, HELP_DECRYPT files are inside the main Photos database, then in each subfolder that leads to a subfolder with the actual JPG files. It's probably moot point mentioning that JPGs are gone, as they cannot be opened anymore. :/

Hello again Shawody,

It seems pretty clear that at least some higher-level folder was shared, allowing full access to files on the Mac. Don't do that. Only share a folder that has no other use. I suggest sharing the /Users/Shared folder.

Hi Etresoft,

Isn't /Users/Shared folder, also one of the higher-level folders? Or is that folder percieved somewhat different by the system?

Hello again Shawody,

No. There is usually nothing in that folder. And there are no other directories inside it. If you are using it for something else, then create a new folder elsewhere to share with VMWare.

But here's the thing, Pictures folder was never shared with VMWare, yet the whole folder is now gone, complete with Photos Library database. Neither was /Users folder shared with VMWare, it was only some of its subfolders.

Following that logic, the ransomware spread up the hierarchy, perhaps looking for the most common names of folders and file types, meaning that even if I only share the /Users/Shared folder, it will still spread to other folders.

Hello again Shawody,

Pictures is linked from inside those ~/Library/Containers folders. I was interested in what folder was shared that gave access to those, then then to Pictures, as well as Desktop,Documents, Downloads, Library, Movies, and Music.

Here's the bizarre thing though. If it spread from Desktop, through /Library/Containers all the way to /Users folder, and then also to /Pictures, how come it didn't spread further to the second internal harddrive, as there was direct link (alias) to a pictures folder on the second harddrive. None of those pictures are affected. Also there were shared folders with VMWare on the second harddrive that were affected.

So how the **** does this spread...whats the algorithm, and where does it stop. If it manages to get through some folders and aliases...why not through others?

Hello again Shawody,

There is no link to the Desktop to any other location. There are links from all ~/Library/Containers folders to many other locations. But, in theory, a properly sandboxed app shouldn't have write access to those links. But VMWare isn't sandboxed at all so why did it even go into those Containers folders.

If the link to the second hard drive was a true alias instead of a symbolic link, then it wouldn't be followed.

But with all due respect, you could solve many of these mysteries by just telling us what many people have asked you. What folders, specifically, were shared with Windows?

Well, there are 7 shared folders in the VMWare settings. I have omitted part of names due to privacy issues.

From the main(primary) HDD:

- HDD-01/Users/b....

- HDD-01/Users/b..../Desktop

From the secondary HDD:

- HDD-02/Documents on B..../P letters/15 D... road

- HDD-02/Documents on B..../J.../Ar.../351-E...

- HDD-02/Documents on B..../Ref..../A... cars

- HDD-02/Documents on B..../J.../Ar.../300-A.../300-T.../Door Window

- HDD-02/Documents on B..../J.../Ar.../300-A.../300-D.../In progress

Does this help you in any way? Or were you looking to get something else?

Btw. I just found more folders infected in the /Users/B.../Library and its subfolders, they didn't show up on the Finder search.

After second look, It seems that it travels down the hierarchy and not up. It can't go through Alias-es. It went for PDFs, TXTs, Docs, Excel, .mov, .jpg, CAD (.dwg), some .xml, .db, .sqlite, .js, some .plists. It also seems to not go for all image files, it completely ignored one folder full of PNGs.