img NewsOSX

The FBI MoneyPak Virus Now Affects Mac OS X

This entry provides recommendations on fixing the issue regarding the FBI Cyber Department MoneyPak virus for Mac OS X, as well as a description thereof.

A massive long-term outbreak of ransomware, which started off as essentially Windows malware, has commenced spreading over to Mac OS X systems as of late July 2013. Originally known as the FBI MoneyPak virus, this infection leverages malicious properties of the Reveton Trojan (Citadel) to block affected computers and display a fake warning screen accusing the users of illegal activity, such as viewing prohibited pornographic content or violating copyright laws. To get their PCs unlocked, victims are requested to pay a fine ($100, $300 or more) using MoneyPak prepaid service.

FBI Cyber Department MoneyPak virus in action on Mac OS X
FBI Cyber Department MoneyPak virus in action on Mac OS X

The version targeting Mac OS X is somewhat different, both technically and in terms of its actual manifestation on the infested systems. Discovered by Jerome Segura, senior security researcher at Malwarebytes, this virus was found to use a "piece of JavaScript that inserts iFrames" for hijacking Safari browser on a victim’s machine. Similarly to its Windows counterpart, the FBI Cyber Department MoneyPak virus for Mac OS X renders a script generating the following message in Safari: “All activities of this computer have been recorded. All your files are encrypted. Don’t try to unlock your computer!” The bulk of the screen is occupied by the list of possible reasons for this blocking allegedly by the Federal Bureau of Investigation. The amount of the required penalty fine for getting things back to normal is in the range of $100-$500, depending on the subversion of the infection.

The good news with Mac OS X is that this hijack is fairly easy to fix, unlike the Windows version. While force-quitting Safari will not address the issue (it comes back the next time you open the browser), there are several ways to avoid paying the “fine” and make the annoying thing go away.

Ways to resolve the issue

1. Let’s start with a cumbersome one. You need to close Safari window with the fabricated message as many as 150 times. Efficiency of this method can be explained by the fact that the JavaScript powering the FBI MoneyPak virus on Mac OS X is coded to render 150 iFrames.

2. The most effective technique is to reset Safari. Go to “Safari” menu in the top left-hand corner of the browser, and in the drop-down list select “Reset Safari…”. Then make sure all items have check marks next to them, and hit “Reset”. An obvious downside of this method is that your whole browsing history, webpage preview images, Downloads list, saved usernames and passwords, etc. – will be gone. It’s definitely worth its salt though.

Resrt Safari
Resetting Safari effectively addresses the FBI MoneyPak virus issue

3. Consider switching to a different browser. Indeed, web browsers like Google Chrome and Firefox are known to be more resistant to this infection by far.

Another obvious takeaway from the analysis of this particular contamination scenario is to refrain from actually giving in to the extortionists and paying the ransom. While, again, the Mac OS X variant of the FBI MoneyPak virus is a lot less severe than the version attacking Windows, it won’t let go unless steps above are taken. Also, as this malware keeps sticking to an escalating propagation rate, IT experts argue, it may evolve into a more aggressive threat over time. So, be sure to stay informed on this particular matter.