Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Got hit with the SamSam ransomeware

dukebound85

dukebound85

macrumors Core
Original poster
Jul 17, 2005
19,218
4,342
5045 feet above sea level
So my work windows machine got hit with samsam ransomware from work servers. It didn't seem to execute entirely (as it did on some of my collegues') as very little of my files were encrypted and I was still able to open all the key documents I need for work. My coworkers had all their stuff encrypted demanding bitcoin repayment which won't be happening.

I was able to save the files I need on an external drive and will be wiping the computer. What malware/virus scanners can detect this? I want to throughly scrub the data on my mac via a windows virtualization before I reintroduce files on my work machine. Can ransomeware hide itself in word/pdf/xls files? or does it need to have a .exe?

Thanks
 
A lot of ransomware is in Excel/Word files, mainly targeted for businesses which still run Office 2007 or earlier. Simply open the file and you’re buggered. This is because those older Office versions automatically run macros when opened and that’s how they deliver the payload. That said, those viruses still don’t affect Macs, even if you run the malicious script.

That’s not to say Macs are impervious to viruses. However Apple have made some simple decisions that seem massively obvious to prevent fundamental infections, such as SIP which prevents editing of system files. Conversely, I couldn’t count the amount of times I’ve seen the explorer shell in the registry hijacked to run an additional malware/ransomware program as it loads, which only involves adding a space and the path of the malicious item put in quotation marks. We’re talking a line of plain text here, that anybody with local admin privileges can edit. It’s utterly ridiculous how MS don’t completely lock that down.

Anyway, gripes aside about stupid Microsoft decisions — if you’re concerned, run MalwareBytes for Mac and try a scan through a free AV such as Sophos or Avast. However there isn’t anything close to Windows ransomware on Mac. Yes, you do get ransomware on macOS, but that either involves the user installing something or an application using a Java/Flash exploit. It’s not self-propagating like you see on Windows.
 
dukebound85 said:
Can they impact already created and known word/excel files or are they unique files that run macros?
Click to expand...

Well in my example it’s normally from emails saying “see attached invoice”, so some unsuspecting toilet brush crunching cells in a dead-end job would open the file. It’s nothing sculptured for a specific business. If a domain is affected by ransomware then they’re chirpily encrypting your files and charging the moon on a stick to unlock them.

So basically: although it’s technically possible that an infection could edit existing items, they wouldn’t need to do that as they’ve already injected the infection and buggered up your data anyway. People who write ransomware don’t play the long game. They’re just out for immediate extortion.

TL;DR: I wouldn’t be too concerned. Honestly. Just run some AV for your peace of mind.
 
Run and A/V and be sure to have the latest Office security updates before proceeding. Not much after that. However, if you are still paranoid, copy your files into a "dummy" PC and run them to see which file might be infected.
 
I've been dealing with some crypto mining malware on one of my web servers I manage. I've engaged several teams at my organization to work on this, and up until recently, I was largely unsuccessful in fully purging it from the web server. Thanks to one team for giving me a tidbit of info, that I was able to use, to see that there was a specific vulnability, and so I patched the web servers and so far everything looks clean.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back