+- MacResource (https://forums.macresource.com)
+-- Forum: My Category (https://forums.macresource.com/forumdisplay.php?fid=1)
+--- Forum: Tips and Deals (https://forums.macresource.com/forumdisplay.php?fid=3)
+--- Thread: Company infected with Ryuk ransomware (/showthread.php?tid=233152)
Pages:
1
2
Company infected with Ryuk ransomware - bazookaman - 10-09-2019
Every computer in the company got it. Apparently that’s how it works. But MY question is, did it get my Mac? I have the only Mac in the company. They made an announcement over the intercom to shut down your computer but I was on a call. So I was happily working away while everyone’s computer was being encrypted. So I eventually shut down but I don’t want to boot it back up at home and spread it more. Totally ignorant here. So I’m doing this on my phone.
Re: Company infected with Ryuk ransomware - btfc - 10-09-2019
Here's a primer:
https://blog.malwarebytes.com/cybercrime/malware/2019/01/ryuk-ransomware-attacks-businesses-over-the-holidays/
Re: Company infected with Ryuk ransomware - Filliam H. Muffman - 10-09-2019
I don't know for sure that this specific malware can encrypt the average Mac, the Malwarebytes page does not mention macOS. I haven't seen any information on the exact vector it uses and if it was required to have been triggered by a Mac on the network. What specific version of the OS and browsers were you running?
One website I found implied there is a Norton tool to remove Ryuk from Macs, but it seems to be only a generic REFERRAL link to buy Norton Utilities. :facepalm:
Re: Company infected with Ryuk ransomware - N-OS X-tasy! - 10-09-2019
Here's a more general article about malware and Macs: https://www.macworld.co.uk/how-to/mac/ransomware-3659100/
To answer your original question: It seems your Mac is most likely immune to the Ryuk malware. From the article linked below:
Like most other ransomware that targets the enterprise, Ryuk exploits Windows vulnerabilities. But unlike WannaCry, there isn’t one specific vulnerability that it always targets first, such as that notorious Windows SMB exploit. Ryuk’s cyber attackers will spend time mapping their targets’ networks and maliciously acquiring credentials. As Microsoft patches Windows and Cisco patches networking devices, the Ryuk team will probably find new vulnerabilities to exploit. And they do it all just for you!
https://webcache.googleusercontent.com/search?q=cache:WPYFHseC6FcJ:https://blog.comodo.com/ryuk-new-ransomware-targeting-businesses-and-enterprises/+&cd=26&hl=en&ct=clnk&gl=us&client=firefox-b-1-d
Re: Company infected with Ryuk ransomware - bazookaman - 10-09-2019
Yeah. I read a bunch about it and came to the same conclusion re: the Mac. It was just super freaky today. Basically the entire company just shut down. Everyone's computer, the website. Everything. We were/are dead in the water. The new IT Manager is definitely earning his paycheck today/tonight.
Was thinking about getting a subscription to Sophos for the family computers. Now that I'm more paranoid than normal!
Re: Company infected with Ryuk ransomware - jdc - 10-09-2019
bazookaman wrote:
Was thinking about getting a subscription to Sophos for the family computers. Now that I'm more paranoid than normal!
Seems like a great idea if your family runs windows.
Re: Company infected with Ryuk ransomware - Sarcany - 10-10-2019
Macs can be immune, but still carriers via email or file-exchange.
Macs -- not just Mac servers -- that have file-sharing connections available to Windows machines on the same network can have their data encrypted by ransomware. One of our Mac servers had a folder encrypted by ransomware... and quickly restored via Time Machine backup.
Ryuk is often spread via spam or phishing emails. You could have it in a message in your Inbox right now.
Assuming that you WANT to get your Mac back online and get to work...
Discuss it with your IT guys if they aren't nuts at the moment. If they appear to be the slightest bit distracted, leave them alone and live with your Mac being offline.
If they're willing to spare a minute to talk, tell them that Macs are immune and offer to download an antivirus app (Sophos is fine) and an antimalware app (MalwareBytes) from a second Mac and copy it onto your work machine with the work Mac completely disconnected from the network (Ethernet and WiFi) and see if they're willing to let you power it up on those terms.
...Until they give you the word, do not put the Mac back on the network. No Ethernet. No WiFi. It doesn't matter if your Mac is immune. It matters that this is a crisis and you shouldn't make trouble for the people putting out fires.
Re: Company infected with Ryuk ransomware - bazookaman - 10-10-2019
I powered it up at home and ran our corporate malwarebytes on it before turning on wifi and it found nada. we're pretty sure it was an employee who clicked an attachment or something along those lines. Our SysAdmin had just sent out an email earlier this week saying that we were being phished hard and to NOT click on anything. Apparently someone did.
Re: Company infected with Ryuk ransomware - Speedy - 10-10-2019
https://nakedsecurity.sophos.com/2017/06/15/more-mac-ransomware-666-and-7-days-to-pay/
“We’ve been saying it for some time: Mac malware is rare compared to the stuff that targets Windows. But Apple computers are far from immune.
This year’s SophosLabs malware forecast included Mac malware geared towards harvesting data, providing covert remote access to thieves and holding files for ransom.
Other examples of Mac ransomware include OSX/Filecode-K and OSX/Filecode-L.
Now comes word of a new piece of Mac ransomware, which SophosLabs has identified as OSX/Ransom-A. Widely reported as an example of ransomware-as-a-service (RaaS) for Macs, it has become popularly known as MacRansom.
How it works
This ransomware is not in the wild. Those who want a sample must contact its creators through a secure ProtonMail email address. SophosLabs did obtain a sample and made the following observations:
When you first run the OSX/Ransom-A malware app, you won’t see any tell-tale popups asking for a password. The malware installs itself quietly to work under your own account, rather than as a system-wide program.”
Re: Company infected with Ryuk ransomware - Speedy - 10-10-2019
https://www.macworld.co.uk/feature/mac-software/mac-viruses-list-3668354/
“Wondering how many viruses exist for the Mac? Here is a list recent Mac malware attacks, viruses for Apple computers, and security threats that Mac users have suffered.”