img HowTosOSX

Mac ransomware 2017

Get an overview of Mac ransomware 2017 in general and the prevalent extortion vector via fraudulent use of Apple’s Find My iPhone feature in particular.

Even with cutting-edge tools and considerable resources on their hands, cybercriminals don’t have much room for maneuver when it comes to infecting devices macOS or iOS devices. The reason is obvious: Apple has contrived a security architecture sturdy enough to thwart most attack mechanisms that work on Windows. Under the circumstances, threat actors are bound to discover alternate weak links in this strong defense chain and, unfortunately, have had some success.

While depositing run-of-the-mill crypto ransomware on Mac is easier said than done, felons have found a workaround whose gist consists in abusing a legitimate feature called Find My iPhone. Originally, this functionality is aimed at helping Apple users lock their lost or misplaced device remotely and set up a specific message on the screen so that the person who finds it can contact the owner. Crooks have learned to turn this great feature against users by locking their devices with a passcode and extorting Bitcoins to unlock.

Mac fraudulently locked with a passcode

The workflow of this type of attack presupposes that someone performs unauthorized sign-in to a Mac user’s personal account at iCloud.com. This process can only be successful if the intruder has the would-be victim’s Apple ID and password. There are different theories on ways that the perpetrators obtain these sensitive credentials. The most likely method is through breaches of certain online services. Here’s a plausible scenario: an Apple customer uses the same email address and password to log into their iCloud account and multiple other accounts. If hackers breach servers of some third-party provider and steal numerous users’ PID (personally identifiable data), they may try their luck and use these credentials to access the compromised users’ iCloud profiles.

Once an attacker has furtively logged in, they proceed to the above-mentioned Find My iPhone app and enable the remote device lock. A serious caveat in this context is that locking down a Mac, iPhone or iPad this way can be completed even if two-factor authentication is toggled on. That’s due to the specificity of this emergency feature. The trespasser will also type some custom text to be displayed on the victim’s screen. Some examples are, “Pay me 0.01 BTC ($50) to this address: [hacker’s Bitcoin address], then I will send code to ur email to unlock ur device,” or “Your computer is disabled, write to email: apple.help@post.com.”

Actually, the ransom note can be anything, depending on the attacker’s creativity. The email address indicated in it can vary, too. Aside from the apple.help@post.com mentioned in the example, some of the reported contact details include apple.help@europe.com, pass.apple@mail.com, unlock.device@mail.com, help.apple@gmx.com and helpappledevice@gmail.com, to list a few.

Ransom instructions provided by perpetrators

If a hacked user chooses to go the route imposed by the perpetrators and sends an email to the indicated address, they will receive an auto-reply with unlock instructions. Again, the wording varies, but it mostly goes, “Hello. Your device is locked. To activate the device, pay $50 to the Bitcoin address: [hacker’s BTC address]. After payment inform us and we will send your access code. Time for payment is 24 hours. If we do not receive payment from you within 24 hours, your device will be blocked.”

This extortion methodology is, by far, the most widespread ransom scam encountered by Apple users nowadays. However, a more sophisticated technique is gearing up for a rise as well. It is reminiscent of commonplace Windows ransomware attacks and revolves around a RaaS (Ransomware-as-a-Service) called MacRansom. This malicious framework is being promoted via Dark Web forums. To try their hand at Mac extortion, wannabe criminals need to contact the proprietors of this RaaS via ProtonMail, a well-known encrypted email provider. The creators will quite likely respond with a sample of the crypto ransomware.

MacRansom in action

One of the worst hallmarks of MacRansom is its ability to circumvent administrator permission when being installed, so the victim isn’t likely to notice anything wrong going on. Then, the culprit scours the /Volumes directory for the user’s personal data. This particular path includes all hard disks, removable media currently plugged in, as well as Time Machine backups. Having completed its scan for valuable files, the infection encrypts all matching entries and sprinkles a bevy of README documents containing ransom instructions. The crooks typically demand 0.25 Bitcoin (about $1,000) for data decryption.

Whether you are confronted with Mac hijack assault via Find My iPhone feature abuse or a file-encrypting Mac ransomware attack, it’s a serious predicament that causes a great deal of trouble. To avoid the former, most widespread, type of blackmail, it’s recommended to follow a few simple rules: use a hard-to-guess Apple ID password, never reuse it for other accounts, and enable two-factor authentication for your iCloud account. If the attack has taken place, you should apply a combo of troubleshooting techniques, including iTunes password reset and the use of effective security software.

Unlock Apple device hacked and held for ransom

As per the anatomy of this con, an efficient workaround is to reset the iCloud login credentials. To do this, go to iforgot.apple.com on a computer or other non-infected device and follow the steps below:

• Select the option that says "Forgot Apple ID?"

Forgot Apple ID

• Enter the requested details, including your first name, last name and email address and click Continue.

Enter the requested details

• Fill out the personally identifiable information as instructed and answer security questions you had configured when creating your Apple ID. Alternatively, you can select the "Get an email" option and receive an email to reset your password.

Reset Password

• Follow any further directions until you reset your iCloud password. In some cases, you may have to give Apple Support a phone call to explain your issue and get the reset job completed.

Reset Password Done

• Use the new password to regain access to your iOS or macOS device.

 

Get rid of Mac ransomware 2017 using Freshmac removal tool

When confronted with malicious code like the MacRansom virus, you can neutralize its toxic impact by leveraging a specially crafted system utility. The Freshmac application (read review) is a perfect match for this purpose as it delivers essential security features along with must-have modules for Mac optimization.

This tool cleans unneeded applications and persistent malware in one click. It also protects your privacy by eliminating tracking cookies, frees up disk space, and manages startup apps to decrease boot time. On top of that, it boasts 24/7 tech support. The following steps will walk you through automatic removal of Mac ransomware.

1. Download Freshmac installer onto your machine. Double-click the Freshmac.pkg file to trigger the installer window, select the destination disk and click Continue. The system will display a dialog asking for your password to authorize the setup. Type the password and click Install Software.

Download Freshmac

2. Once the installation has been completed, Freshmac will automatically start a scan consisting of 5 steps. It scans cache, logs, unused languages, trash, and checks the Mac for privacy issues.

Freshmac scan start

3. The scan report will then display your current system health status and the number of issues detected for each of the above categories. Click the Fix Safely button to remove junk files and address privacy issues spotted during the scan.

Freshmac scan report
System Status verdict by Freshmac
Cache Cleanup section of Freshmac scan report
Privacy Cleaner

4. Check whether the Mac ransomware problem has been fixed. If it perseveres, go to the Uninstaller option on Freshmac GUI. Locate an entry that appears suspicious, select it and click Fix Safely button to force-uninstall the unwanted application.

Uninstaller pane

5. Go to Temp and Startup Apps panes on the interface and have all redundant or suspicious items eliminated as well. The ransomware shouldn’t be causing any further trouble.

Return

Search