Sunday scare: had I been hit by ransomware?

So what do you do when, all of a sudden, someone or something takes control of your Mac?

It should have been a quiet Sunday morning. I had got up early, and spent an hour or so working through some searches of the Burlington Magazine archives, then switched to my main task of the day: writing an article in my series on narrative paintings.

One of the more tedious parts of most of the painting articles is tracking down information about the paintings whose images I wish to show. In the case of this article, I had several paintings for which I had little more than the artist’s name and the title of the painting. For each in turn, I was Googling hard to try to get more complete data.

For one particular painting, I was taken out to a site which I have not visited before, Picturellc [dot] com (I have written it like that so there is no chance that you will visit that site too). There was nothing suspicious about the site, which contained images of paintings about Homer’s Odyssey, hardly porn or in the slightest bit provocative. I went to close an enlarged view of a painting, and a Macintalk-like robot voice announced that my Mac was compromised.

I closed that window in Safari as quickly as I could, and behind it I saw another with ominous warnings.

sundayscare1

PLEASE DO NOT SHUT DOWN OR RESTART YOUR COMPUTER, DOING THAT MAY LEAD TO DATA LOSS AND FAILIURE (sic) OF OPERATING SYSTEM, HENCE NON BOOTABLE SITUATION RESULTING COMPLETE DATA LOSS. CONTACT MAC technicians TO RESOLVE THE ISSUE ON TOLL FREE - +44-800-830-3007
and more.

My Sunday morning, and hopes of getting that article written, was starting to fall apart.

I took a quick screenshot of that window (Command-Shift-4, Space, click) so that I could study it more carefully, closed it, and closed Safari.

I next opened three key utilities:

  • Objective-See’s TaskExplorer, to look for anything nasty which might still be running;
  • Console, to check quickly through the logs, to see if anything untoward had appeared there;
  • Activity Monitor, to see if any strange processes were hogging the CPU, if there was a lot of disk activity, or network traffic in or out.

Console showing nothing of any relevance at the time of this apparent intrusion, or thereafter. TaskExplorer showed nothing to worry about, the most suspicious software active being BBEdit, the text editor. Activity Monitor also drew a blank, with no suspicious activity in progress.

I then opened my screenshot, and looked at it more closely, while leaving those monitor apps to watch for activity.

Apart from identifying my IP address and browser, most of the content of that window was stuff and nonsense. It gave my OS as “mac”, so wasn’t smart enough to discover which version of OS X I was running. The background was made to look like a Windows warning, which is nothing like a kernel panic or similar on a Mac. It referred to BSOD (Blue Screen of Death), which had not happened. The error code quoted was bogus, it referred to “Windows Defender”, with another Windows-style warning message.

However bogus this all looked, I still wanted to be confident that this had been scareware rather than an attack. I opened Safari, checked that nothing had tinkered with its settings, then searched for OS X ransomware. I ran a few checks to ensure that there was nothing to suggest that I had just gained that millstone, then browsed logs, inspected TaskExplorer’s listings, and looked for warning signs again in Activity Monitor.

Happy that everything remained in order, I did the one thing that the dire warnings had told me not to do: I restarted. I should perhaps have restarted in Safe mode (Shift key), but was so convinced that this was just a nasty scare that I went straight to a normal login.

Is that what you would do? Would you do anything different, and why?

Thankfully the sun was still shining and I got the article finished. I’ll let you know if I have been falsely optimistic.