Potential Ransomware?

Discussion in 'macOS' started by ccwright9, Jul 29, 2016.

  1. ccwright9 macrumors newbie

    Jul 29, 2016
    5k Imac Fusion 1TB

    Monday night, I started to back up my iOS devices for public beta. I also had a couple of adobe things pop up that I thought was associated with Lightroom.

    Creative Cloud attempted to access a secure website: performance.typekit.net---don't type this in, not sure if it was the culprit.

    Anyway right after this I stepped away from my computer and it went to sleep. When I tried to unlock it the password didn't work. I tried another username, same thing, password didn't work.

    I restarted the computer and all my usernames were gone. Just "Guest" and "Other". Called Apple support, didn't have much information for me but helped me enable root user and change the "other" password. I changed it and took the iMac offline. Apple support was closing so I began researching what happened to my username and files.

    Storage was still full so I knew the files were still there. It looked like the user names had been hidden. I looked in the directory and could see the sharepoint user names. I started a chat with Apple tech support to ask how to unhide my usernames if they were hidden.

    In the root user we went in finder and saw the usernames there. Creating new user accounts with the same names didn't work. We had to brings those files to the desktop change the name of the users, put them back in finder/computer, and then create new users to merge the new user accounts with the files.

    Yes! I fixed it, i thought. Started my backups to make sure I had everything and finally went to sleep. Woke up the next morning and began to check OS X software and update adobe through their website. Continuing through the day of backing up, it started happening again. Fortunately, I caught this before all of the usernames were hidden. Took the mac back offline and finished my back up.

    Back up done, I go to recovery and begin to try to wipe. I wipe Mac HD, journaled, and nothing comes back up under Fusion Drive. Just shows me Fusion Drive with no partition. When I click partition, nothing happens. When I try to re install OS X, no drive is available to install it online after it verifies.

    End result, device failed to mount properly and hard drive needs to be replaced.

    In between the 2 lockouts I changed networks from my Eeros to an airport extreme. I reset the extreme and used a never before used password. I don't think my network was compromised. It's almost like there was remote access or a key logger was able to get my passwords and lock me out. I ran Malwarebytes on all users before I wiped and nothing came up.

    Any idea what happened here so I know what to look out for?
  2. thomasareed macrumors member


    Aug 24, 2015
    The only real ransomware to hit the Mac was KeRanger, and it is extinct. You can't be infected with that at this point, and even if you were, it won't actually encrypt anything any longer, because the server from which it would have downloaded the encryption keys is no longer there.

    Further, there's no known malware on the Mac currently that can install all by itself. All current Mac malware requires user assistance (ie, manually opening a malicious app or installer) to function.

    Finally, it's not possible for malware to damage your hard drive physically.

    What it sounds like happened is that the rotational drive in your fusion drive failed, which caused a number of unusual behaviors as it was starting to die. This is normal behavior for any rotational hard drive; they will inevitably fail at some point.
  3. chrfr macrumors 604

    Jul 11, 2009
    Typekit.net is a legitimate Adobe domain, you can be sure this isn't some sort of malware coming from there.

Share This Page