Jump to content

Recommended Posts

Let me first describe the situation:

Macbook pro of 4~5 years old, running macOS Mojave 10.14.1 - only pictures encrypted
Using VMware i'm running (if needed) windows 7, to make PCB designs. - no problems noticed here
Recently installed: Parallels with windows 10, to make PCB designs - here is where the problem started.

Since i was facing some problems on the W7 machine (newer versions are not supported that well), i decided to play around with a new virtual machines, i installed parallels and Windows 10.

This worked out well, but i was not done with the complete journey and was still facing some problems. I thought it could be caused by the non-activated version of windows, so i decided to download KMSPico. 

I saw some suspicious thing happening on my screen, but i was under the assumption that nothing could happen since i'm working in a virtual machine.
The KMSPico installation took way too long, and accidentally i saw something similar to encrypted disk of a friend: a textfile with a weird name, and text about decryption in it. Not good.
The mac partition was accessible by the windows, via the build-in functions of parallels, i think this is the way it also partially infected my mac.

Next i shut down the parallels W10 machine, but Finder in max was also very very busy. So i killed finder, and started to look if there was any damage on my mac: the pictures folder appear to be encrypted.

 

As suggested by this website, i have done a malware bytes scan, and farbar scan. The scan is done by the OTHER, NOT INFECTED W7 virtual machine, since i'm afraid the damage will be worse if i startup the W10 again. It could be the case that the found infections have nothing to do with the infections in the other virtual machine, but i'm not sure. See attachments.

The infected folders all have a text file with the following filename: OUMELYEOCA-DECRYPT.txt - also added in attachments.

If i have to do the scan in the infected virtual machine, i might unlink the drive, but i would like to know if it is really needed.

2018-12-14 Malwarebytes scanlog W7.txt

OUMELYEOCA-DECRYPT.txt

Addition.txt

FRST.txt

Link to post
Share on other sites

  • Root Admin

Hello @Bosman and :welcome:

Please see the following post and see if this helps with recovery of your data.

https://www.bleepingcomputer.com/news/security/free-decrypter-available-for-the-latest-gandcrab-ransomware-versions/

I would not re-enable the Windows 10 VM with it connected to data on the Mac.

 

Link to post
Share on other sites

  • 2 weeks later...

Dear Malwarebytes,

This message does noet realy help me. What do you mean with: "follow their directions and have the sample unmodified file"? i believe i did what i should do:

I have followed the directions of the link that was posted above, this does not work because the key was not found, In the infected folders is the textfile with the key clearly mentioned. I have tried both a specific search and a full search, i just have tried it again with a fresh downloaded version of the decryptor, but still no succes.

How can i make the decryptor point to the key, that this tool cannot find himself?

Thanks in advance

 

Link to post
Share on other sites

  • Root Admin

Normally it would find it if you had that specific version of the infection. It's very possible that the encryption was corrupted during its operation and why it does not work. I really wish there was more we could do for you, but there is no magic pill to undo encryption.

You might be able to take the computer into a local repair shop that specializes in security and see if they're able to find, or correct enough of the documents to get the decrypter working. 

 

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.