Categories

FBI Ransomware Now Targeting Apple’s Mac OS X Users

For years, Windows users have been plagued by ransomware demanding several hundred dollars to unlock their computers.

The bad guys know there is a growing market of Apple consumers who, for the most part, feel pretty safe about browsing the Internet on a Mac without the need for any security product.

Cyber-criminals, well known for not re-inventing the wheel, have ‘ported’ the latest ransomware to OS X, not by using some complicated exploit but rather leveraging the browser and its ‘restore from crash’ feature.

Update: Read our Q&A for the latest about this ransomware.

(Scroll all the way to the end of the post for a video on how to remove this Apple ransomware.)

ransomware1

The ransomware page is being pushed onto unsuspecting users browsing regular sites but in particular when searching for popular keywords.

Warnings appearing to be from the FBI tell the victim: “your browser has been blocked…you have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.

A quick look at the address bar shows an interesting URL: fbi.gov.id657546456-3999456674.k8381 . com, the bad guys are clearly trying to fool users.

If you choose to ignore the message (which you should), you cannot get rid of the page:

lock1

Repeated attempts to close the page will only lead to frustration as even the “Leave Page” browser trick does not work:

lock2

If you “force quit” the application, the same ransomware page will come back the next time to restart Safari because of the “restore from crash” feature which loads backs the last URL visited before the browser was quit unexpectedly. Talk about a vicious circle.

This is how it is done, by using some JavaScript code:

JS

The “infinite loop” (which really isn’t) is made possible by 150 iframes created dynamically by this JavaScript snippet:

loop

There is a way to get rid of it (without clicking on the prompt 150 times) and more importantly without paying the $300 ransom. Click on the Safari menu and then choose “Reset Safari”:

reset

Make sure all items are marked and hit the Reset button:

reset2

You can bet many people are going to fall for this scam and  pay the ransom money, filling the bad guys’ pockets.

Whenever alarming messages are displayed, it is important to take the time to review them, call a friend or talk to someone about it.

The bad guys know how to use social engineering to entice victims as, for example, I was lead to this locked page by doing a search for Taylor Swift on Bing images. The victim will feel they may have actually being doing something wrong and got caught and ashamed, will pay the “fine.”

This scam is unfortunately all too efficient and is not going away anytime soon.

Watch this tutorial on how to get rid of the FBI ransomware for OS X.

Jerome Segura (@jeromesegura), senior security researcher at Malwarebytes.


24 thoughts on “FBI Ransomware Now Targeting Apple’s Mac OS X Users

  1. garrettevans says on July 15, 2013 at 2:39 pm :

    I’m a Mac fanboy, but I’ve relied on MWB for all my PC family and friends who want me to “fix” up their computer.

    Big thanks to MWB for looking out for us fanboys too!

  2. Mark Pippin says on July 15, 2013 at 6:50 pm :

    “You can bet many people are going to fall for this scam and either pay the ransom money or bring it to a shop, in both cases filling the bad guys’ pockets.”

    Can you please explain how a user taking their infected PC to a professional shop for removal is filling the ‘bad guys’” pocket??

    The professionals, like me, who remove this junk are not ‘bad guys’ and certainly had nothing to do with our customers getting infected to begin with.

  3. Jerome Segura says on July 15, 2013 at 6:56 pm :

    Hi Mark,

    Thanks for letting me know, I must have gotten carried away. I have updated the post accordingly and apologize for the misunderstanding.

    I have cleaned PCs for customers and friends (and still do) and know it is not an easy job, one that requires skills and patience. So again, sorry for giving out the wrong message!

    Thanks :-)

  4. Jerome Segura says on July 15, 2013 at 7:34 pm :

    I see a lot of sources incorrectly reporting this as a Trojan for OS X. It is not, please read carefully, as it is simply using JavaScript within the browser and preventing the user from closing the window. This means the user is actually not infected (despite what it seems) and what the bad guys are hoping is you get frustrated with your browser not closing, and end up paying the ransom.
    This attack can be safely and easily defeated if you follow the steps provided at the end of the blog post. Thanks!

  5. v1car says on July 15, 2013 at 10:33 pm :

    Actually, I checked — at least in Safari, you can immediately get rid of this page with a bookmarklet which uses document.write() to delete the page contents. Here’s the one I tested (which turns the page into a nicely-formatted message describing what happened) (and with my luck, WordPress will somehow eat this):

    javascript:%20void(function(){document.write(‘%3Chtml%3E%3Chead%3E%3Ctitle%3E%2D%2D%20Page%20has%20been%20erased%20%2D%2D%3C%2Ftitle%3E%3C%2Fhead%3E%3Cbody%20style%3D%22margin%3A0in%3Bpadding%3A25%25%3B%22%3E%3Ch1%20style%3D%22size%3Axx%2Dlarge%3Btext%2Dalign%3Acenter%3Bcolor%3Ared%3Bmargin%3A25%25%3Bfont%2Dweight%3Abold%3B%22%3EThis%20page%20was%20erased%20using%20a%20bookmarklet%2E%3C%2Fh1%3E%3Cp%20style%3D%22text%2Dalign%3Acenter%3B%22%3EThis%20page%20has%20had%20its%20content%20replaced%20with%20this%20message%2E%20If%20you%20want%20the%20content%20back%2C%20you%20will%20need%20to%20reload%20the%20page%2E%3C%2Fp%3E%3C%2Fbody%3E%3C%2Fhtml%3E’);}())

  6. v1car says on July 15, 2013 at 10:35 pm :

    Okay, it didn’t lose the text, it just cut it off with formatting so you can’t see most of it (which is fine; just select the whole thing and copy and paste). When I tested, if you run this script on the page whose URL is given in this entry, you can then close the window without any messages. Hooray for the poorly-planned properties of the original DOM!

  7. mrglass says on July 16, 2013 at 9:30 am :

    You don’t need to reset Safari in order to get rid of this. Just open the JavaScript console and paste “function areYouSure() { return false;} ;” (without quotes) at the prompt and hit enter. The next time the function is called it shouldn’t prompt anymore. I guess you could also set “i = 150;” and that would be the end of it too.

  8. Michael Johnston says on July 16, 2013 at 1:02 pm :

    If you ever find yourself on a page that won’t let you close it, simply open Safari preferences (Command + ,), click the Security tab, and uncheck “Enable JavaScript.”

    Once JavaScript is disabled, you’ll be able to close the site. Tadaaa!

  9. Buck Virga says on July 16, 2013 at 4:48 pm :

    Not sure if it will work here as I haven’t tried it but holding the shift key while relaunching safari should force it to load the home page instead.

  10. jfbos says on July 17, 2013 at 11:33 am :

    I got hit with this on 7/13. I got rid of it by holding down the power button to shut the Mac down. When I restarted, the FBI screen was gone but my Mcafee wouldn’t update and the scan seemed to get hung up after only 7 files. Is that related to the ransomeware? If it’s just a script on a website, how could it keep me from updating so I could run a scan?

    Did I do something wrong by shutting down rather than your proposed solution? Is there something else I need to do? Thanks.

  11. Jerome Segura says on July 17, 2013 at 11:46 am :

    Hi jfbos,

    Thanks for sharing your experience. The hard reboot is not recommended and could have corrupted some files on your OS. But that happens when sometimes we have to resort to such things.
    The first thing I’d do is uninstall your antivirus, restart and then install it again cleanly. See if that fixes the issue. Here is a link to their support page: http://service.mcafee.com/default.aspx

    The ransom page itself is a pure lure, nothing malicious with it that we could tell. Please let us know if that works for you.

  12. davidravenmoon says on July 17, 2013 at 2:32 pm :

    Here’s the easy way to do this;

    force quit Safari. Then when you launch it again hold down the shift key. This will prevent windows from the last session from opening.

    This is better than resetting Safari and looking a lot of your settings.

  13. François Robért says on July 17, 2013 at 4:19 pm :

    ‘The average Mac computer user will not know how to do many of the solutions posted here and, being non-technical, are the most likely to fall for the scam. The easiest solution for them is not the solution described because ‘Reset Safari’ will lose their name-password combinations, auto-fill data and a host of other things they will fret about for having been lost. Why nuke when a bullet will do?

    The easier, and safer solution for the non-technical, is to Force Quit Safari (hold the Option key while selecting Safari in the dock) then, restart Safari while holding the shift key. This will bring them back to their original homepage location without erasing most of their settings.

    Much easier to remember, easier to do, and less scary for the less technically inclined.

  14. v1car says on July 18, 2013 at 12:47 pm :

    Also, you can get rid of the page using the following AppleScript:

    tell application “Safari”
    tell document of window 1 to do JavaScript “document.write(”);”
    close window 1
    end tell

    Or you can open the Error Console (you need to turn on the Develop menu first — it’s in Preferences under “Advanced”) and just type in “document.write(”);” and hit return and then close the window.

  15. Pete Holzmann says on October 30, 2013 at 4:59 pm :

    @Jerome wrote, “I see a lot of sources incorrectly reporting this as a Trojan for OS X. It is not, please read carefully, as it is simply using JavaScript within the browser and preventing the user from closing the window. This means the user is actually not infected (despite what it seems)”
    What’s the practical difference? You’ve described exactly how a trojan works. This is malware (does things the user does not want). It remains in their browser until removed. It requires a careful procedure to remove it. That’s how most malware works these days.

    The fact that it uses a creative means to “install” itself is immaterial.

  16. Jerome Segura says on October 30, 2013 at 7:58 pm :

    Hello Pete,

    The different with a traditional piece of malware is that the core Operating System is not touched. The majority of malware will try to attach itself for persistence (i.e. when you reboot the machine).
    This “malicious JavaScript code” only runs in the browser and other than being an annoyance, it does not actually have a permanent impact on the system.

    Does that make sense? Thanks for reading :)

  17. Nick Woods says on November 16, 2013 at 6:11 pm :

    Hi, I got this page this evening. I clicked on close, got the “do you want to leave this page” message, clicked on yes and it went, no problem, and hasn’t come back. Does that mean I still should reset Safari?

  18. Jerome Segura says on November 16, 2013 at 8:44 pm :

    Hi Nick,

    It sounds like you’re good. Browsers are starting to catch up with this little trick and blocking what looks like endless loops.
    Having said that, erasing your browser history every now and again is not a bad idea.

    Jerome

  19. Edward Beknazarov says on November 30, 2013 at 5:53 pm :

    just had this happened to me. the same thing, except i’m on linux (zorin OS 6.0) and the browser design looked a little different. but yeah, good thing i didn’t waste 300 bucks on this **** LOL

  20. Rogelio Valiente G says on December 5, 2013 at 6:40 am :

    Hi, i got this yesterday. After a few attempts of clicking on the “leave page”, i decided to force quit the browser. This happened to me on Firefox. I tried to reopen the browser, and the virus was still there. I forced quit the browser again. At the third attempt, it looks like firefox somehow managed to block the page to be reopened, since the error message that “page could not be reopened” appeared. I deleted the browser history and everything seems to be running normal. Can this virus access my persobal information? Do i need to remove it completely from my computer?
    Thanks for your help!

  21. Jerome Segura says on December 5, 2013 at 9:48 am :

    Hi Rogelio,

    This type of threat is not a virus per se. It does not infect your PC like typical malware, but simply tries to block your browser (using HTML, JavaScript). Of course, it would not hurt to scan your computer for malware :-)

  22. Nathan Duke says on December 13, 2013 at 7:00 am :

    A tutorial for Chrome users (or FrFx, other alt browsers, etc.) would be helpful. Perhaps when I’ve drafted one, I can post a link here? Not everyone on OSX uses Safari, needless to say. But still, thanks for this post – MWBU once again prevented me from needlessly ruining a good pair of jeans. Here’s my stupid tale of stupid stupidity…
    I got nailed with this outrageous crap while attempting to watch the new Jared Leto documentary (via Google Chrome). When the page loaded, my eyes got huge, my breathing quick, my brow deeply knitted. I couldn’t believe what I was looking at! I wanted to brush it off as some obvious farce, but **** that sub-sub-domain in the URL string TRICKED ME!!! So I read through the text, $300 in 12 hours, what??? F*ck no that’s extortion, this is illegal horseshit, but **** it looked just legitimate enough to plant that seed of doubt! So I took screen shots, force-quit the browser, and did what I should have done (what everyone should always do when going online) in the first place – started Vidalia and initiated a Tor Network Session* to black-box my packets around the IP detection – which worked fine (there has been no subsequent browser blocking or error prompt weirdness so far) and although this appears to be a superficial, limited-scope “spoof-virus” browser hack, I still need to confirm that my system has not been compromised in any significant way… I gotta admit, even though in almost every prior technology crisis situation I strive to maintain an objective, empirical mindset, the combination of shock & the sliver of plausibility (in light of PRISM etc.) the limbic response of visceral fear & righteous indignation almost defeated my Grumpy Skeptics BS Filter – until I read up on the scam, ultimately landing on what I deemed to be the most reputable site amongst the search results (http://blog.malwarebytes.org/fraud-scam/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/). Thank you MWBU! What a freakin’ relief! Those clever parasitic bastards… I want to applaud their genius as they spin beneath the gallows… -

  23. ray1 says on December 17, 2013 at 6:11 am :

    Question… I have an iphone 4, and just recently received a message on my home screen that my email(s) (it showed both of my email accounts) and FaceTime are connected to the
    FBI. It also showed a telephone number that has access to my phone. It gave the option to accept or decline. I declined the request however it still went through.. I happen so quickly that I didn’t think to take a screen shot. I didn’t know if this is real or some type of scam to gain access to my files. Does the FBI ask for permission to gain access to your files?

  24. p717 says on February 28, 2014 at 5:46 pm :

    The info is VERY helpful! However, you do not need to reset Safari ASAP if you do not want to or use Java if that is not in your wheelhouse. I found a solution quite by accident! Be sure to have a current email with a website link such as Apple.com, iTunes, eBay, Amazon, etc. handy
    1. Force Quit Safari
    2. Go to the email and click the link
    3. A pop up menu will say you Force Quit Safari ,… do you want to reopen the last Safari window.
    4. Click… DON’T ALLOW…Success with a smile. {:-)
    Then go and check your System Preferences & Safari Preferences and be sure your Firewall is active and you have deleted cookies etc… reset Safari if you want/need to and be “Cyber Safe”

Leave a Reply

Subscribe to our YouTube Channel