7

Problem Description

Yesterday my mother called me that she got a message on her iPhone, that it was stolen (iCloud Find My Phone). She then had to enter security codes (two-factor authentication) into a textfield on her MacBook. I was not there at this time, so I can not really prove it. I think this was already a phishing window of the ransomware.

She is using my old MacBook, an early 2011, 13" with updated SSD and 16 GB RAM, with 10.10 installed.

When I arrived, the MacBook was already compromised and showed following message, after booting:

Ransomware Screenshot

The message is in german and says:

Ihr Computer ist deaktiviert. Versuchen Sie es in 59 Minuten erneut.
(Translation: Your computer is deactivated. Try it again in 59 minutes.)

write to email: apple.help@gmx.com

apple.help@gmx.com is definitely not a valid apple mail address.

I googled for the exact same message and I did not really got any good results. The only results I found were these:

How to fix it?

My thought was that it was just a screen overlay and it should be possible to boot into another OS (live Ubuntu) to get access to the data. I wanted to find a trace of the ransomware. Maybe I could find out how it is called or what it was doing with the data.

When I tried to boot to another device, the Mac was locked with a EFI firmware protection password (the same screen with the little lock was appearing). I never set this and I really doubt that my mother did it. So it could be only the ransomware.

So I first had to reset the firmware password. Luckily I found a blog entry which describes a way where you have to change the amount of RAM sticks in your system and then reset the PRAM / NVRAM. I thought it sounds a bit like magic, but on the other way, the system could not get worse.

I removed a RAM stick, booted with CTRL+ALT+P+R and waited for three reboots.

After that it the firmware lock was gone and it was possible to boot onto a USB stick. I checked for recent file changes on the mac partition, but could not find anything. The data of the home folder was not encrypted (so maybe it was a hoax).

So I made a backup of her data and then tried to do a normal boot again. Surprisingly, the ransomware message was gone! I could just boot into the system as usual.

I run a Bitdefender scan, but nothing was found. It is really mysterious and I have no idea what really happened.

Question

So my question now is, does anybody know this problem or this kind of attack? I have no clue how the attackers could set the firmware password and where the software of the ransomware was running.

Maybe it was on an own partition but I could not find it. The MacOS seems not to be corrupted.

Update

I asked an Apple Store worker today and he did not know anything about a hack like this. But he told me that it should not be possible to reset the firmware password. Only Apple is able to do that.

cansik
  • 211
  • 1
  • 2
  • 8
  • Here is an interesting thread about it on twitter. It's in Japanese, but google translate will help: https://twitter.com/SHOTT2012/status/864033890477850624 – cansik Jul 31 '17 at 18:21

8 Answers8

4

Explanation

It seems that it is not a virus or a hack on your computer. The message that is shown can be set when you lock your device from iCloud (Find My Phone).

So it seems that Apple has an iCloud backdoor or something like that. Only with the password it would not be possible to login to iCloud, because of the activated two-factor authentication. So the attackers really have access to your iCloud, but not directly to your local computer.

The iCloud account of my mum is from April 2017, so it is not just an old iCloud hack.

Most likely it is because of the following iCloud hack:

Hackers: We Will Remotely Wipe iPhones Unless Apple Pays Ransom (Vice, Mar 21 2017)

Solution

If the same happened to you, you have to take your Apple device to the next Apple Store together with your receipt. The receipt proofs that you are the owner the device, so the Apple Store is able to unlock it.

For security reasons I recommend to reset your password and activate two-factor authentication.

If you have the a 2011 Macbook, the PRAM / NVRAM wipe could work for you too, but you have to do it on your own risk.

cansik
  • 211
  • 1
  • 2
  • 8
2

As you mentioned, this does not seem like a real ransomware attack. Most ransomware out there, including the latest WannaCry and NotPetya, have atleast good file encryption mechanisms. But you mentioned that the files were not really encrypted so I would not classify it as ransomware.

Since a ransomware's prime objective is to make money (it is debated that some of the recent variants exist more as DoS attack tools than for ransom collection -- but I won't get into that) they will usually leave a bitcoin address where you could make a payment to them to get a unique decryption key.

The modus operandi of this infection does not really coincide with that of a ransomware. This seems more like a hoax to annoy users by locking them out of their machines.

Aside

Perhaps, I will try writing an email to the address you mentioned and see if they ask for a ransom amount to "fix" my computer. Since they are pretending to be "Apple" (they are doing a bad job at it too since the domain is gmx.com, a German service offering free email accounts), they more likely looking to cheat unsuspecting users out of some money. For e.g. think of the fake "Microsoft Service Support" calls that (usually elderly) people receive that ask for remote connection to their machine, show fake "infections" by color coding some DOS commands and ask for ~$300 to fix it. It's an unsophisticated social engineering attempt but it works on people not very familiar with their computers.

whoami
  • 1,366
  • 9
  • 17
  • I am not sure if it is a hoax. Maybe it is just a test for a real attack. I would not understate it just because it does not encrypt at the moment. The fact that it enables the firmware protection is frightening. I am not even sure if the computer boots into MacOS. I already tried to send a mail to the address. But it seems that this address does not exist at gmx. I will try to reserve it. – cansik Jul 31 '17 at 17:56
1

This happened to me yesterday, took down my Macbook pro (latest model) and iPad pro. Unfortunately you can't do the above to the new models so have to go into store.

James
  • 11
  • 1
  • If you still have your MacBook locked, would it be possible to attach a second screen and check out what is shown on the second screen? If it is just a fullscreen application, there should be the normal desktop. That would be very interesting! – cansik Jul 31 '17 at 17:58
1

My MacBook Pro Late 2013 has the same problem since today. After boot the locked screen with the same massage was shown. Email to apple.device@gmx.com was the contact here. Someone hacked my iCloud Account and use it to lock my MacBook. I decide to proof it and while the login to my account Apple says its "locked because of safety reasons". After reseting of my Apple ID Passwort and many questions and procedures, i see it clearly in "Find my..." that my Mac Book was locked and after many calls only Apple Support can fix it.

I also read in the web about the RAM modification to fix it, but also that it does not work on newer MacBook than 2012. My other MacBook Pro late 2014 running on the same Apple ID was not locked. Maybe because i don't shut it down or reboot at the Weekend. I won't try this until the first MacBook is not running.

After mailing to the fake apple.device@gmx.com i receive a massage to pay 50$ in Bitcoins and send it to 1LtEdJmSApVYMYFXzLeaYtuvXFVPv9kzo3

I was surprised but 50$ is not much money and maybe it won't stop here, than 100$ than 300$ and so on. And after mailing again it was true they want 100$. No way...

My advice: Don't mail don't Answer and definitely don't Pay.

Apple Store Fix it and change your Passwort to your Apple ID and 2way Authentication...

David
  • 11
  • 1
1

I have fallen victim to this too, exact same error message. What is strange that even with my mac shut down, when starting up the lock screen states it is disabled for 60 minutes. This despite me not even attempting to crack the passcode.

I am entering cmd+r to get into recovery mode, which looks more like the firmware lock screen. I am waiting to be seen by apple, trying to get a genius appointment is difficult. I first went to the apple authorized reseller and they couldn't help me, as they said the process requires them speaking to Apple anyway, so they said just go direct to apple.

Out of curiosity, what is the lock screen as depicted in the posted image? Would that passcode of 6 digits be anything from apple or is it something purely for whoever has hacked my icloud account?

It's been 5 days now and I still have no working laptop, trying to organise around work is hard...

bobby
  • 11
  • 1
1

I have been an Apple Technition for over 8 years. I see this all the time at the Genius Bar. Plan and simple your iCloud password was compromised. The attacker just activated lost mode on your devices that are linked to your iCloud account. When a computer enters “lost mode” a firmware lock is added. The only way for you to fix this issue is to make a Genius Bar appointment and bring in your computer with proof of purchase. They will be able to remove the firmware lock with the computers Hash code, then they can repartition & reinstall the OS. Hope you have a backup.

  • As @Mirvine mentioned: How can you explain that not only "normale" secured accounts are compromised? Even if two-factor authentication it was possible to get into the icloud account. – cansik Aug 05 '17 at 21:52
1

The screen displaying the lock after chime/post is the firmware lock. Holding down cmd+opt+crtl+shift+S will display the hashcode, this is used by Apple to reset firmware locks. After the computer boots up then you will see the iCloud lost mode screen with the 4 digits. Unfortunately I do not have an answer how these attacker’s are getting passed 2 step. Good luck.

0

I have recently been attacked by this. In my case the PRAM NVRAM reboot does not work. I get a different lock screen, just an graphic of a lock and a filed to enter text, nothing else. The lockout screen when trying to boot normally asks for a four digit PIN and says to email apple.device@gmx.com

I also got the message from Apple about Kalunga. When I accessed my iCloud account my desktop had also been locked out. The lockout screen on my desktop asked for a six digit PIN.

My iPhone and second desktop, which was at a different location on a different router was not affected.

.