Possible Ransomware?

Discussion in 'Mac Basics and Help' started by kmoorejr, May 3, 2017.

  1. kmoorejr, May 3, 2017
    Last edited: May 3, 2017

    kmoorejr macrumors newbie

    Joined:
    May 3, 2017
    #1
    Just had a user report this issue. Below the disabled message was a note stating "Write to Email: applepass04@gmail[dot]com"

    It appears to be some sort of ransomware.

    Can anyone else confirm?
     
  2. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #2
    Yes, there are a variety of reports about that email address "applepass04@gmail.com"
    Seems to be ransomware.

    https://www.reddit.com/r/jailbreak/..._experience_with_the/?st=j29d9eba&sh=f007a878

    Do you have a jailbroke iPhone? I don't see reports about that happening on non-JB phones, but maybe I just haven't seen any yet.

    I don't know if there is any fix yet, other than changing your AppleID account password, then enabling 2-factor authentication.

    I see some logins that have a money amount like (unlock $50), or something similar. Do you have anything like that on yours?
     
  3. kmoorejr thread starter macrumors newbie

    Joined:
    May 3, 2017
    #3
    Definitely not jail broken. Device was a Mac Book Pro. Also appears that the device's firmware may have been affected as it required a password when attempting to boot using CMD + ALT + R. User stated they had never seen that screen before (padlock). Multiple password attempts had no affect. Waiting out the "60 minutes" had not affect, the timer simply restarted.

    User is going to call Apple Support and attempt to resolve with their assistance. If I hear anything about how to resolve the issue, I'll post to this thread.
     
  4. Eskimo121 macrumors newbie

    Joined:
    May 7, 2017
    #4
    Hey there, same problem since yesterday. He also wants 50$/0.04 BTC bitcoins from me within 12 houts, but who tells that He sends me a code after paying? The 12 hours are already expired anyway.

    I've called Apple but they couldn't tell me a solution yet.

    Please keep me updated whatever You are doing. I need my data, but i won't pay any bitcoins.
     
  5. ApfelKuchen macrumors 68030

    Joined:
    Aug 28, 2012
    Location:
    Between the coasts
    #5
    Sounds like a firmware password was set, though the "Write to email..." part is more consistent with a message left when a device is in Find My iPhone/Mac Lost Mode. This article illustrates both the firmware passcode and Find My Mac screens (among other useful info): https://support.apple.com/HT204455
     
  6. John_L macrumors newbie

    Joined:
    May 7, 2017
    #6
    I've seen this twice in the past few days. The computer boots to a 4 digit input and the indication to write applepass04@gmail.com. One person did this, they responded with a bitcoin wallet ID and a ransom of 0.03085 bitcoin, which equates to $50 USD. A firmware password does get set, so the only option one has is to take (original) proof of purchase and the Mac to the nearest Apple Store, and the Genius Bar can, after POP verification, remove the firmware password. Not sure what hurdles to jump after that to possibly recover data, unless you're ok with paying a ransom for your data. At the very least, when the firmware is unlocked, you can at bare minimum, format and recover the device if not your data. This is a bit disconcerting to see. I've heard of large corporations data being held prisoner for large ransoms, but it's worrisome to see it filtering down to personal computers, Macs at that, which is surprising because macOS is a pretty secure environment, especially if you're fully up to date with the latest version.

    I suspect iCloud might play a role, because one of the two instances I've seen had two Macs, and an iPhone hit at the same time.
     
  7. Acourtney macrumors newbie

    Acourtney

    Joined:
    May 7, 2017
    #7
    I had the exact same issue take place early Friday morning. They got my iPhone, Apple Watch and two computers. I have to take both my Macs to the Genius Bar next weekend. (3 hours away) I bought one of my computers second hand a few years ago. Do you know if there any chance they will fix it without proof of purchase?
     
  8. Ryanbusler macrumors newbie

    Joined:
    May 8, 2017
    #8
    I found a solution to this problem. I let my computer go dead and then plug it back in and turned it on. At this point it bypasses the disabled screen and boots up but if I restart it it will be disabled again. I didn't sign into my iCloud account and locked my MacBook again. Then I can restart put in the new password that I set up and I'm OK .
    --- Post Merged, May 8, 2017 ---
    I found a solution to this problem. I let my computer go dead and then plug it back in and turned it on. At this point it bypasses the disabled screen and boots up but if I restart it it will be disabled again. I didn't sign into my iCloud account and locked my MacBook again. Then I can restart put in the new password that I set up and I'm OK .
     
  9. Fishrrman macrumors G4

    Fishrrman

    Joined:
    Feb 20, 2009
    #9
    "I found a solution to this problem. I let my computer go dead and then plug it back in and turned it on. At this point it bypasses the disabled screen and boots up but if I restart it it will be disabled again. I didn't sign into my iCloud account and locked my MacBook again. Then I can restart put in the new password that I set up and I'm OK ."

    Could you detail this scenario a bit more clearly with a step-by-step guide?
    Your language above is unclear...
     
  10. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
  11. toxicity033 macrumors member

    Joined:
    Sep 18, 2014
    #11
    more details please, i have the same issue right now
     
  12. Arak macrumors newbie

    Joined:
    Feb 13, 2017
    #12
    Will it work to prevent by cutting iCloud account from device (iMac, iPhone, etc)?
    If yes how has the cut look like? Remove all device registrations from iCloud account?
     
  13. thebluemedia macrumors newbie

    thebluemedia

    Joined:
    Jul 5, 2017
    #13
    I'm having this same issue, but the email at the bottom of the lock screen is 'help.apple.us@gmail.com'

    My Mac won't boot into safe mode and when I get to recovery, my firmware password has been changed.

    Apple hasn't been much help. Two different people I've talked to couldn't figure out the issue.

    I am going to try letting it die completely. I've removed it from my iCloud account, but every time I restart it it boots to the lock screen still so hopefully if it dies completely it will do a full restart and I can boot into Safe Mode.
     
  14. John_L macrumors newbie

    Joined:
    May 7, 2017
    #14
    Take it to an Apple Retail Store with proof of purchase. If you bought it directly from Apple, they can look up your order with you just needing your ID. Otherwise, bring the receipt, or if you don't have it, you can usually get a reprint from the seller. They should be able to remove the firmware lock (which is what it is), and you can recover all you data. Only an Apple Retail Store can remove a firmware lock without the password.
     
  15. jamievl macrumors newbie

    Joined:
    Jul 6, 2017
    #15
    I'm having this trouble also. Same exact message. My phone was put in lost mode. Apple wasn't much help. They told me to do the account recovery. Which I did a week ago and still have no access to my phone. All I use with apple is my iphone. Has anyone figured this out? I can't get into itunes or icloud or anything because my account is locked. Apple basically said it could take two weeks to verify my identify which is not helpful to me at all.
     
  16. Floris macrumors 68020

    Floris

    Joined:
    Sep 7, 2007
    Location:
    Netherlands
    #16
    I am more interested to know if this is caused by handbreak or transmission as well. Or if you guys run into something new that we don't know about yet?

    You guys using pirated software for say adobe premiere, for example, or can you guarantee everything's legit and it's thread differently than the previous couple cases of ransomware on mac
     
  17. jamievl macrumors newbie

    Joined:
    Jul 6, 2017
    #17
    I have no idea what that means. I'm not very good at techy things. I have an iphone. I don't use apple for anything else. I don't have a mac or ipad. I don't even use itunes. I use my phone for texting, facebook, and phone calls. I don't even have other apps on my phone.
     
  18. Floris macrumors 68020

    Floris

    Joined:
    Sep 7, 2007
    Location:
    Netherlands
    #18
    So I guess it's through a link on a site that's exploiting an outdated iOS build or some email link you clicked on and accepted to do whatever..

    Otherwise I can't imagine how to auto-install ransomware on a up to date 10.3.2 iOS phone with no third party apps and not jailbroken, and stuff. And apps are sandboxed, I can't imagine they bypass that without a popup asking you to give a pin or otherwise accept a custom profile or whatever might be needed.
     
  19. jamievl macrumors newbie

    Joined:
    Jul 6, 2017
    #19

    I don't know. I was camping and had no cell service. When I got back to service area, my phone said on the lock screen "write to email: help.apple.us@gmail.com." I didn't. I came home and checked my email from my HP laptop. I had an email at 1 PM saying someone had tried to log in to my apple account. If that's not me, then change my password. Then at 7:15 PM I had an email that said my iphone was reported as lost. I picked up those emails around 8 PM when I got home. I called apple the next day. The guy had never heard of this happening and just said that my account is locked (which is why I couldn't change my password when I went to try) and that it could take up to 2 weeks for apple to verify my identity and restore my account.
     
  20. Floris macrumors 68020

    Floris

    Joined:
    Sep 7, 2007
    Location:
    Netherlands
    #20
    Scary, guess they got a way to get into the phone and hijack your sim card and validate it's you and restore the pass and get in and lock your phone and force ransomware on it.

    Sounds like the CIA is after you.
     
  21. jamievl macrumors newbie

    Joined:
    Jul 6, 2017
    #21
    Haha, well I'm sure they were sorely disappointed as I am a very boring, and broke person.
     
  22. mayfairman macrumors newbie

    Joined:
    Nov 12, 2009
    #22
    Yes we have the same problem today on an iMac and have not yet found a way round it.
     
  23. ApfelKuchen macrumors 68030

    Joined:
    Aug 28, 2012
    Location:
    Between the coasts
    #24
    Most likely, yes (see my earlier comments about Find My iPhone). Illicit possession of an Apple ID password opens the possibility that Find My iPhone/Find my Mac Lost Mode can be enabled. No additional software is required - the ransom message is delivered by Find My.

    When someone reports that several or all of their Apple products - both Mac and iOS - are affected, that's an Apple ID hijacking, pure and simple. The chances of implanting some sort of rogue software on every one of those items... microscopic.

    Find My iPhone/iPad/Mac is a great feature. I'm confident it does far more good than harm. However, it can be turned against someone. If you give away the keys you may just get locked out of your own home.

    One way to substantially reduce the chance of this kind of take-over is to use Two-Factor Authentication for the Apple ID https://support.apple.com/HT204915. Apple's become more insistent about people adopting this security method, and these "ransomware attacks" could be one of the reasons Apple is pushing it. I can't say that two-factor makes take-overs impossible (in fact, you'll see examples of such intricate scams on old episodes of Mission: Impossible), but it dramatically raises the barriers the bad guys must overcome.

    Finally, the macsecurity.net article linked above ends by stating the company's security software can help, contrary to everything said previously in the article. There's no security software that can prevent someone from logging into a victim's Apple ID account. There's no security software that can prevent a person from falling for a phishing scam. The use of a password-protection app won't help... the only thing that can help is to not give away that precious password.
     
  24. jweedman87 macrumors newbie

    Joined:
    Aug 13, 2017
    #25

    Aw man! You never posted back! Did this solution work for you? ... letting it completely die after removing the device from your iCloud account?

    I had an iPhone and Macbook Pro both get hit this morning. I got the iPhone back, but not sure how to get around the firmware lock on the Macbook Pro. I can take it in to the apple store, but I'd love to find a solution that I can do on my own before going that route.

    Would appreciate to know how you got yours solved - thanks!
     

Share This Page