Got a tip for us? Share it...

New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

OS X Users Hit by Ransomware Websites Posing as FBI Notices

Malwarebytes takes a look at a method cyber-criminals have begun using to target Mac users with "ransomware", hijacking the user's browser with a notice demanding payment of $300 in order to release control of the application. While similar malware has affected Windows systems for a number of years, Mac users have only rarely seen such efforts targeted at themselves.
The ransomware page is being pushed onto unsuspecting users browsing regular sites but in particular when searching for popular keywords.

Warnings appearing to be from the FBI tell the victim: “you have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.”
safari_fbi_ransomware
Rather than a sophisticated hijack of the actual browser software or an installation of a trojan, the ransomware is merely a simple webpage using JavaScript to load 150 iframes that require confirmation to be dismissed, with the authors hoping that users will give up long before they dismiss all of the dialog boxes and simply pay the ransom. As the report notes, a feature on OS X that reopens previously open windows after relaunching an app means that users generally can not simply close and reopen Safari in order to escape the ransomware.

The report details one method to escape the ransomware involving resetting Safari, but misses a far simpler tactic: Simply holding down the Shift key while relaunching Safari will prevent it from reopening windows and tabs from the previous session. Users can also completely disable the reopening feature across OS X from the General pane of System Preferences. Many OS X users may, however, be unfamiliar with such options and find themselves trapped by the ransomware webpage.


The report notes that the ransomware authors are targeting users based on popular search terms, with one example stumbled upon through an image search result for Taylor Swift on Bing.

Top Rated Comments

(View all)

13 months ago
I have paid this ransom like 3 times today and still no sense of absolution.
Rating: 46 Votes
13 months ago
Who falls for a thing that says its the FBI and to pay a fine you use gas station money cards? Really?
Rating: 46 Votes
13 months ago

Only real stupid people would fall for that.

Unfortunately...


This is America so I wouldn't be surprised.


Why do you make such generalizations? Not everyone is computer Savy, there are some people in their 60s and 70s who 'barely' get by browsing the internet and checking email, and yea they bought Mac because it's easy. They are not real stupid, they are not dumb, they just don't know enough to know it's fake.
Rating: 17 Votes
13 months ago
If the fbi finds out you're distributing child porn you're going to jail, not paying 300 dollars. Hahaha.
Rating: 16 Votes
13 months ago
Only real stupid people would fall for that.

Unfortunately...


This is America so I wouldn't be surprised.
Rating: 14 Votes
13 months ago

Who falls for a thing that says its the FBI and to pay a fine you use gas station money cards? Really?


You'd be surprised.
Rating: 14 Votes
13 months ago

If you get it in front of 1,000,000 people, and only .001% fall for it, you've hit 1,000 users.


Your maths teacher has a lot to answer for.
Rating: 12 Votes
13 months ago
Well at least it only blocks the browser. I've had to fix 2 Windows machines for people with these things and they completely lock the whole system as well as installing a load of crap with it.
Rating: 12 Votes
13 months ago

I've never heard of similar marware on Windows. It's just funny how MacRumors says that because it's sounds so much like an emotionally dependent fanboy attempt of trying to deflect.


:confused: I get a lot of calls a day regarding ransomware viruses. Not just easy ones, either; not a case of logging in through Safe Mode and running MalwareBytes. They're not in %temp%, or %AppData%, in msconfig or startup folder. I'm talking ransomware that hooks itself on explorer.exe registry entries, in the depths of HKLM and HKCU. It's damn clever, but near enough bricks the computer. Boot into Safe Mode? It restarts the computer. Only way to do it is to boot into Safe Mode with Command Prompt (when it doesn't load up the explorer shell), and tell a person on the phone the exact registry keys to edit in order to temporarily disable the virus ... then reboot, we log in, and spend the next 4 hours cleaning up more viruses.

Also I'm inundated with calls when Security Centre is disabled, as are Windows Firewall and Windows Updates. No, not just 'disabled' as in 'restart it in services.msc', I mean malware deleted the registry entries (common theme?) so we have to readd them, and then change the folder permissions in a certain registry key to add MpsSvc and give full permission to that, then you can see it in services.msc and re-enable it …

It's a PITA. It really is. Malware, spyware, adware, bloatware -- whatever you want to call it -- is a huge problem on Windows. People like you who are so willingly ignorant, who say things like: "Oh, I've never had a BSOD/virus infection/inexplicable Windows fail in xx years of using Windows computers" -- well, I call shenanigans. I really, really do.

If you think Windows is easy to use and doesn't have problems as long as you 'know what you're doing', you don't know anything more than the basics. If you think it's an easy OS to use, you haven't used enough of its features. And certainly, if you haven't heard of similar malware on Windows, then you're either a poor troll or you really do know nothing, Jon Snow.

And as an aside, I've always found that Apple-haters are far more aggressive and arrogant than the Apple lovers. It's a shame you've done little to disprove that.

/rant
Rating: 10 Votes
13 months ago
Now how do I get my $300 back?
Rating: 9 Votes

[ Read All Comments ]