Ransomware Kalunga Russia iCloud Hack

Southern Dad

macrumors 68000
Original poster
May 23, 2010
1,532
563
Shady Dale, Georgia
I have been using Apple products for a long time. In all those years, I have never had a malware issue. That all changed last night. I do have two-factor authentication turned on for my Apple ID. A pop up on my iPhone 7 Plus. It's a request for two-factor authentication from Kalunga, Russia. Obviously, I quickly clicked deny. Then my iPhone 7 Plus and iPad Pro both went into Lost Mode. When I fired up my MacBook Pro, what do I see? Yes, that wonderful Firmware Lock Screen that you enable with Lost Mode asking for my six digit code. Of course, it has the email address "unlock.device@gmx.com" to send an email. Not going to happen.

A little research and I find out that this has been going on for a few weeks. It also did not take long to figure out that the only solution to this was a trip to the Apple Store Genius Bar. When I contacted Apple Support they tell me that they would be glad to set the appointment up for Saturday, September 26th! Really? That's the best that they can do? Luckily, the Apple Store at Mall of Georgia has walk in appointments. I will just have to endure the wait.

Ransomware Kalunga Russia iCloud Hack is the name of this. I have linked the Apple Support thread. If you have an older Apple product there are solutions that work. But if you have a late model MacBook Pro, you will be going to the Genius Bar. You will also need proof of ownership. This is the order where you purchased your MacBook. I know, what about people who bought it used?

Is anyone else having this issue? How did you deal with it? Did you have to break out the passport for a quick trip to Kalunga, Russia?
 

Rok73

macrumors 65816
Apr 21, 2015
1,128
501
Planet Earth
Well, the only way to deal with it is to get in touch with Apple Support with a proof of purchase. What other way would there be?

However, despite you having 2FA turned on those Russian guys must have gotten hold of your login credentials through phishing i.e. There is no other way because Apple's customer data hasn't been "hacked" or something.
 

vkd

macrumors 6502a
Sep 10, 2012
916
313
I need a new sofa, laresangel357, can you hack one for me?
 

Southern Dad

macrumors 68000
Original poster
May 23, 2010
1,532
563
Shady Dale, Georgia
Well, the only way to deal with it is to get in touch with Apple Support with a proof of purchase. What other way would there be?

However, despite you having 2FA turned on those Russian guys must have gotten hold of your login credentials through phishing i.e. There is no other way because Apple's customer data hasn't been "hacked" or something.
It is possible that the Russians were able to phish the username and password. I haven't traveled to Russia any time recently and I have not actually logged into anything using my Apple username and password in at least a month or more. The email account is actually different and only used for Apple as is the password.
 

Fishrrman

macrumors Core
Feb 20, 2009
20,155
7,101
Does one have to be an iCloud user to "get bitten" by this?

I ask because I have no iOS devices and have NEVER once signed into iCloud.

I really don't have any use for it, and will probably never use it in the future.

Can they hack you "through iCloud" if you don't have an account there?
 

Southern Dad

macrumors 68000
Original poster
May 23, 2010
1,532
563
Shady Dale, Georgia
Does one have to be an iCloud user to "get bitten" by this?

I ask because I have no iOS devices and have NEVER once signed into iCloud.

I really don't have any use for it, and will probably never use it in the future.

Can they hack you "through iCloud" if you don't have an account there?
While not an expert, I think you could be safe.
 

Michaelgtrusa

macrumors 604
Oct 13, 2008
7,900
1,820
I don't have Handbrake, at all. But the positive thing is that I lost no data. The Genius just booted the MacBook Pro to show the hash mark. Then he went into chat with someone and they gave him what he needed to make a USB drive to remove the Firmware Password.
Glad to hear this is all cleared up. Thanks for the heads up.
 

Bahamut Eos

macrumors member
Mar 29, 2008
71
2
Los Angeles
You are not the only one, I started a thread here a few days ago that this happened to me as well. Details are almost identical, only I didn't have 2FA set up before hand. I do now, but I'm hearing this still happened to a lot of people who had it set up.


https://forums.macrumors.com/threads/icloud-being-hacked-in-progress.2061279/

Here is another apple support page where it's happening to many other people. People who also say the had 2FA set up. I think apple has been compromised, and the hackers are rolling this out slowly to test it out.

https://discussions.apple.com/message/32066655#32066655
 
  • Like
Reactions: Southern Dad

ApfelKuchen

macrumors 68040
Aug 28, 2012
3,804
2,364
Between the coasts
You are not the only one, I started a thread here a few days ago that this happened to me as well. Details are almost identical, only I didn't have 2FA set up before hand. I do now, but I'm hearing this still happened to a lot of people who had it set up.


https://forums.macrumors.com/threads/icloud-being-hacked-in-progress.2061279/

Here is another apple support page where it's happening to many other people. People who also say the had 2FA set up. I think apple has been compromised, and the hackers are rolling this out slowly to test it out.

https://discussions.apple.com/message/32066655#32066655
Not compromised. The explanation is right there in that Apple discussion. You can enable Lost Mode without a 2FA verification code, just the Apple ID and password. This is a feature, not a bug.

If a 2FA verification code was required to enable Lost Mode, a person might not be able to enable Lost Mode at all - iPhones are often a person's only 2FA trusted device, their iPhone phone number their only trusted phone number.

I can see how Apple may have to tighten up the process (perhaps allowing no-authentication code when there's only one trusted device and/or one trusted phone number, but requiring the code if there are multiple devices/phone numbers), but that's just off the top of my head. I leave it to the people at Apple who work on this issue full-time to come up with the right answer.
 
  • Like
Reactions: Bahamut Eos

Southern Dad

macrumors 68000
Original poster
May 23, 2010
1,532
563
Shady Dale, Georgia
You are not the only one, I started a thread here a few days ago that this happened to me as well. Details are almost identical, only I didn't have 2FA set up before hand. I do now, but I'm hearing this still happened to a lot of people who had it set up.


https://forums.macrumors.com/threads/icloud-being-hacked-in-progress.2061279/

Here is another apple support page where it's happening to many other people. People who also say the had 2FA set up. I think apple has been compromised, and the hackers are rolling this out slowly to test it out.

https://discussions.apple.com/message/32066655#32066655
Thank you, I will check out the thread. I have changed the password. It's long, it's complicated, and not going to be easily discovered. Even better is that I will not actually use that password except on the rare occasion that I need to use Apple ID.
 

Bahamut Eos

macrumors member
Mar 29, 2008
71
2
Los Angeles
Not compromised. The explanation is right there in that Apple discussion. You can enable Lost Mode without a 2FA verification code, just the Apple ID and password. This is a feature, not a bug.

If a 2FA verification code was required to enable Lost Mode, a person might not be able to enable Lost Mode at all - iPhones are often a person's only 2FA trusted device, their iPhone phone number their only trusted phone number.

I can see how Apple may have to tighten up the process (perhaps allowing no-authentication code when there's only one trusted device and/or one trusted phone number, but requiring the code if there are multiple devices/phone numbers), but that's just off the top of my head. I leave it to the people at Apple who work on this issue full-time to come up with the right answer.
I didn't notice it in the thread, but that actually makes a lot of sense. Thanks, I feel a little less nervous, although I'm sad that I don't feel I can trust that feature anymore, at least not on my most time sensitive systems.

I'm happy but suspicious about why they didn't try to lock me out of the account though. Maybe they couldn't since I clicked Don't Allow....
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.