Malwarebytes: Maneuver around 'FBI ransomware' on Macs

Jerome Segura of Malwarebytes explains how to get around 'FBI ransomware' computer locking.

This Content Component encountered an error

Ransomware isn't limited to PCs anymore; Apple OS X users are being targeted in this scam now, too.

It's using a piece of Java script that intentionally is made to force a loop so that every time you click the close button it'll tell you that you can't close it because it's been locked.

Jerome Segura,
senior security researcher, Malwarebytes

But thanks to a blog post and YouTube video by Jerome Segura, senior security researcher at Malwarebytes, Mac users can easily rid themselves of the annoyance of a "locked computer" without forking over the $300 ransom demanded by the latest "FBI ransomware," which won't get your computer unlocked anyway.

How easily is this "FBI ransomware" turning up? "I went on Bing and did a search for Taylor Swift and clicked some links and eventually found one that led me to a link that totally locked my Mac," Segura said.

Is there a social engineering aspect to this scam? "There's definitely a little link between the type of content you've been browsing that leads to this page, because part of the page warns you about browsing copyrighted material or pornographic content," Segura said. "So it kind of makes sense that if you've been browsing some free movies or looking at porn, if you see this message it's going to be a lot more relevant and you might actually believe it."

How does it work? "It's using a piece of Java script that intentionally is made to force a loop so that every time you click the 'close' button it'll tell you that you can't close it because it's been locked," Segura explained. "This is something new, because it prevents you from closing the browser. The piece of Java script has been used by other Web developers, but the criminals took the 'Are you sure you want to leave this website' message and customized it to say, 'You're locked,' and increased the counter so you're getting the message 150 times."

Segura looked at the source code to figure out the magic number is 150, but many people give up after 10 tries. "There's no exploit, just a little trick," he said. "It takes advantage of the fact that if you force quit the browser, it recovers the last URL and this puts you right back on that locked page. The bad guys aren't reinventing the wheel, they're just using certain features."

Who's running this scam? "It's an IP address that's well known for pornographic and illegal content, located in St. Petersburg, Russia, and is most likely on what we call a bulletproof hosting service," Segura said. "One of the domains had a spike of 50,000 hits in one day. Now that's just one domain, and they're using multiple domains, so if even 2% of people pay the ransom, it would be $300,000 in one day."

Any malware involved? "As far as the Mac users are concerned, no; there's no exploit code and no malware," Segura said. "But for Windows users, it's a different story; there's malware involved in the form of banking Trojans on your computer that can capture your keystrokes if you do any online banking."

The Internet Crime Complaint Center is aware of the situation and posted a note on their website: "Do not follow the ransomware instructions."

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close