FBI Ransomware Now Targeting Apple’s Mac OS X Users

Posted July 15, 2013 by Jérôme Segura

For years, Windows users have been plagued by ransomware demanding several hundred dollars to unlock their computers.

The bad guys know there is a growing market of Apple consumers who, for the most part, feel pretty safe about browsing the Internet on a Mac without the need for any security product.

Cyber-criminals, well known for not re-inventing the wheel, have ‘ported’ the latest ransomware to OS X, not by using some complicated exploit but rather leveraging the browser and its ‘restore from crash’ feature.

Update: Read our Q&A for the latest about this ransomware.

(Scroll all the way to the end of the post for a video on how to remove this Apple ransomware.)

The ransomware page is being pushed onto unsuspecting users browsing regular sites but in particular when searching for popular keywords.

Warnings appearing to be from the FBI tell the victim: “your browser has been blocked…you have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.”

A quick look at the address bar shows an interesting URL: fbi.gov.id657546456-3999456674.k8381 . com, the bad guys are clearly trying to fool users.

If you choose to ignore the message (which you should), you cannot get rid of the page:

Repeated attempts to close the page will only lead to frustration as even the “Leave Page” browser trick does not work:

If you “force quit” the application, the same ransomware page will come back the next time to restart Safari because of the “restore from crash” feature which loads backs the last URL visited before the browser was quit unexpectedly. Talk about a vicious circle.

This is how it is done, by using some JavaScript code:

The “infinite loop” (which really isn’t) is made possible by 150 iframes created dynamically by this JavaScript snippet:

There is a way to get rid of it (without clicking on the prompt 150 times) and more importantly without paying the $300 ransom. Click on the Safari menu and then choose “Reset Safari”:

Make sure all items are marked and hit the Reset button:

You can bet many people are going to fall for this scam and pay the ransom money, filling the bad guys’ pockets.

Whenever alarming messages are displayed, it is important to take the time to review them, call a friend or talk to someone about it.

The bad guys know how to use social engineering to entice victims as, for example, I was lead to this locked page by doing a search for Taylor Swift on Bing images. The victim will feel they may have actually being doing something wrong and got caught and ashamed, will pay the “fine.”

This scam is unfortunately all too efficient and is not going away anytime soon.

Watch this tutorial on how to get rid of the FBI ransomware for OS X.

Jerome Segura (@jeromesegura), senior security researcher at Malwarebytes.

COMMENTS

Pingback: FBI Ransomware Now Targeting Apple's Mac OS X U...()
garrettevans

I’m a Mac fanboy, but I’ve relied on MWB for all my PC family and friends who want me to “fix” up their computer.

Big thanks to MWB for looking out for us fanboys too!
Pingback: New OS X malware holds Macs for ransom, demands $300 fine to the FBI for ‘viewing or distributing’ **** | Noble Networks()
Pingback: FBI ransomware trojan now tricking Mac users into paying $300 fines | VentureBeat()
Pingback: New OS X malware holds Macs for ransom, demands $300 fine to the FBI for ‘viewing or distributing’ **** - The Headlines Now - Live News India, World, Business, Technology, Sports, Fashion, LifeStyle & Entertainment()
Pingback: Nuevo malware para Mac finge ser el FBI | conecti.ca()
Pingback: The Capitals™ – Capitalists' Magazine | 資本家札記 | FBI ransomware trojan now tricking Mac users into paying $300 fines()
Pingback: Nuevo troyano en Mac OS X demanda 300 dólares para desbloquear el sistema | GeeksRoom()
Pingback: Nuevo troyano en Mac OS X demanda 300 dólares para desbloquear el sistema()
Mark Pippin

“You can bet many people are going to fall for this scam and either pay the ransom money or bring it to a shop, in both cases filling the bad guys’ pockets.”

Can you please explain how a user taking their infected PC to a professional shop for removal is filling the ‘bad guys'” pocket??

The professionals, like me, who remove this junk are not ‘bad guys’ and certainly had nothing to do with our customers getting infected to begin with.
Jerome Segura

Hi Mark,

Thanks for letting me know, I must have gotten carried away. I have updated the post accordingly and apologize for the misunderstanding.

I have cleaned PCs for customers and friends (and still do) and know it is not an easy job, one that requires skills and patience. So again, sorry for giving out the wrong message!

Thanks 🙂
Pingback: FBI-themed ransomware now affecting OS X users | simples WordPress()
Pingback: FBI Ransomware trojan now tricking Mac users into paying $300 fines | Vietnam Outsourcing()
Pingback: New OS X malware holds Macs for ransom, demands $300 fine to the FBI for ‘viewing or distributing’ **** - Daily Small Talk()
Jerome Segura

I see a lot of sources incorrectly reporting this as a Trojan for OS X. It is not, please read carefully, as it is simply using JavaScript within the browser and preventing the user from closing the window. This means the user is actually not infected (despite what it seems) and what the bad guys are hoping is you get frustrated with your browser not closing, and end up paying the ransom.
This attack can be safely and easily defeated if you follow the steps provided at the end of the blog post. Thanks!
Pingback: FBI Ransomware trojan now tricking Mac users into paying $300 fines | HenQ Venture()
Pingback: FBI-themed ransomware now affecting OS X users | USA Today NewsUSA Today News()
v1car

Actually, I checked — at least in Safari, you can immediately get rid of this page with a bookmarklet which uses document.write() to delete the page contents. Here’s the one I tested (which turns the page into a nicely-formatted message describing what happened) (and with my luck, WordPress will somehow eat this):

javascript:%20void(function(){document.write(‘%3Chtml%3E%3Chead%3E%3Ctitle%3E%2D%2D%20Page%20has%20been%20erased%20%2D%2D%3C%2Ftitle%3E%3C%2Fhead%3E%3Cbody%20style%3D%22margin%3A0in%3Bpadding%3A25%25%3B%22%3E%3Ch1%20style%3D%22size%3Axx%2Dlarge%3Btext%2Dalign%3Acenter%3Bcolor%3Ared%3Bmargin%3A25%25%3Bfont%2Dweight%3Abold%3B%22%3EThis%20page%20was%20erased%20using%20a%20bookmarklet%2E%3C%2Fh1%3E%3Cp%20style%3D%22text%2Dalign%3Acenter%3B%22%3EThis%20page%20has%20had%20its%20content%20replaced%20with%20this%20message%2E%20If%20you%20want%20the%20content%20back%2C%20you%20will%20need%20to%20reload%20the%20page%2E%3C%2Fp%3E%3C%2Fbody%3E%3C%2Fhtml%3E’);}())
v1car

Okay, it didn’t lose the text, it just cut it off with formatting so you can’t see most of it (which is fine; just select the whole thing and copy and paste). When I tested, if you run this script on the page whose URL is given in this entry, you can then close the window without any messages. Hooray for the poorly-planned properties of the original DOM!
Pingback: FBI Ransomware Now Targeting Apple’s Mac OS X Users | Malwarebytes Unpacked | techHUB()
Pingback: FBI Ransomware trojan now tricking Mac users into paying $300 fines « Music RSS()
Pingback: FBI Ransomware iti va tine Mac-ul ostatic (Video) | iDevice.ro()
Pingback: New OS X Malware Holds Macs for ransom Demanding $300 fine for ‘viewing or distributing’ **** |()
Pingback: New OS X malware holds Macs for ransom, demands $300 fine to the FBI for ‘viewing or distributing’ **** | BLOGUH()
Pingback: Hackerss.com » Virus del FBI llega a OS X()
Pingback: FBI Ransomware Now Targeting Apple’s Mac OS X Users » Cyber Parse()
Pingback: Nuevo malware para Mac finge ser el FBI | FullTime SV()
Pingback: FBI Ransomware Now Targeting Apple's Mac OS X Users (Jerome Segura/Malwarebytes Unpacked) | Are You An Android?()
Pingback: OS X Users Hit by Ransomware Websites Posing as FBI Notices | Frog In The Box()
Pingback: OS X Users Hit by Ransomware Websites Posing as FBI Notices | chicagogeek()
Pingback: OS X Users Hit by Ransomware Websites Posing as FBI NoticesWinToMac | WinToMac()
mrglass

You don’t need to reset Safari in order to get rid of this. Just open the JavaScript console and paste “function areYouSure() { return false;} ;” (without quotes) at the prompt and hit enter. The next time the function is called it shouldn’t prompt anymore. I guess you could also set “i = 150;” and that would be the end of it too.
Pingback: Mac Users Targeted by Fake FBI Notices from Ransomware Websites | MacTrast()
Pingback: OS X Users Hit by Ransomware Websites Posing as FBI Notices ← SIMPLYGRAY()
Pingback: OS X Users Hit by Ransomware Websites Posing as FBI Notices | CodeBlue Technology()
Pingback: 10 things you should know about tech and social this week | FAVES + CO.()
Pingback: Malwarebytes annouces FBI Ransomware Targeting Mac OS X | The Security Blogger()
Pingback: FBI “Ransomware” Now Targetting OS X Users [How-to-Remove VIDEO] | iPhone in Canada Blog - Canada's #1 iPhone Resource()
Pingback: Cyber Thieves Posing As The FBI Are Targeting Mac Users With ‘Ransomware’ Scam @ refresh.in.th()
Pingback: Technable | Making you Technically Able()
http://www.facebook.com/michaeltjohnston Michael Johnston

If you ever find yourself on a page that won’t let you close it, simply open Safari preferences (Command + ,), click the Security tab, and uncheck “Enable JavaScript.”

Once JavaScript is disabled, you’ll be able to close the site. Tadaaa!
Pingback: Un Malware Attacca OS X: Finta Pagina FBI chiede 300 Dollari per Sbloccare il Sistema » Revoblog()
Pingback: FBI ransomware hits Mac OS X: Here's how to get rid of it | Digital Trends()
Pingback: OS X Users Hit by Ransom Malware Posing as FBI | SiliconANGLE()
Pingback: Ransomware Masked as FBI Notice Targets OS X Users | MacNewsFeed()
Buck Virga

Not sure if it will work here as I haven’t tried it but holding the shift key while relaunching safari should force it to load the home page instead.
Pingback: How to tackle JavaScript-based ransomware sites | TNT()
Pingback: How to tackle JavaScript-based ransomware sites | CNT()
Pingback: Mac OS X Users Being Targeted by FBI Ransomware()
Pingback: Malware targeting Mac OS X users Posing as FBI Notice | First Tech Guide()
Pingback: How to tackle JavaScript-based ransomware sites | AnuragP()
Pingback: How to tackle JavaScript-based ransomware sites | UltraTrends.com()
Pingback: Partners In Sublime How to tackle JavaScript-based ransomware sites - Partners In Sublime()
Pingback: OS X Users Hit by Ransomware Websites Posing as FBI Notices | Apple Related()
Pingback: OS X Users Hit by Ransomware Websites Posing as FBI Notices | Ninja Hangout()
Pingback: OS X Users Hit by Ransomware Websites Posing as FBI Notices | The iPadian Times()
Pingback: Ransomware posing as an FBI notice targets OS X users | The iPadian Times()
Pingback: Tuesday Evening Links – | Blog()
Pingback: W63 TOP NEWS » How to tackle JavaScript-based ransomware sites()
Pingback: Como evitar el Ransomware, un peligro que afecta cada vez más a los ordenadores de Apple()
Pingback: Ransomware fra “FBI” – er blot et lille javascript | fbjohansen()
Pingback: FBI “Ransomware” Now Targetting OS X Users [How-to-Remove VIDEO] | MobileHeadlines.net()
Pingback: How to tackle JavaScript-based ransomware sites | Recom Computers()
Pingback: فناوری اطلاعات فارس » How to tackle JavaScript-based ransomware sites()
Pingback: OS X Ancora Vittima Di Hacker - ZioGeeK()
Pingback: OS X Ancora Vittima Di Hacker | Soluzione e Sistemi di Catino Valentino()
Pingback: Mac Malware on the Rise – Child **** Ransomware Demands $300 Release Fee | NO MORE SHAME()
Pingback: Solution Search | How to tackle JavaScript-based ransomware sites()
Pingback: Apple‘s Mac OS X Users have been Targeted by FBI Ransomware()
Pingback: Mac Users Targeted With New Ransomware Scam | The IT Nerd()
Pingback: Εμφανίστηκε και στα Mac ο «ιός της Αστυνομίας» και ζητά 300 δολάρια για λύτρα()
Pingback: Ransom-ware demanding money to unlock your computer | Ben's Blog on Gadgets and Travel()
Pingback: Forbidden News » New ransomware targeting OS X users()
Pingback: Εμφανίστηκε και στα Mac ο "ιός της Αστυνομίας" και ζητά 300 δολάρια για λύτρα()
Pingback: El troyano del FBI llega a Mac | Reverendo's Blog()
Pingback: e-ptolemeos.gr - Εμφανίστηκε και στα Mac ο “ιός της Αστυνομίας” και ζητά 300 δολάρια για λύτρα()
Pingback: FBI Ransomware Hits Mac Users | Breaking Internet Marketing News()
Pingback: A Q&A about the Mac new FBI "ransomware" | Malwarebytes Unpacked()
jfbos

I got hit with this on 7/13. I got rid of it by holding down the power button to shut the Mac down. When I restarted, the FBI screen was gone but my Mcafee wouldn’t update and the scan seemed to get hung up after only 7 files. Is that related to the ransomeware? If it’s just a script on a website, how could it keep me from updating so I could run a scan?

Did I do something wrong by shutting down rather than your proposed solution? Is there something else I need to do? Thanks.
Jerome Segura

Hi jfbos,

Thanks for sharing your experience. The hard reboot is not recommended and could have corrupted some files on your OS. But that happens when sometimes we have to resort to such things.
The first thing I’d do is uninstall your antivirus, restart and then install it again cleanly. See if that fixes the issue. Here is a link to their support page: http://service.mcafee.com/default.aspx

The ransom page itself is a pure lure, nothing malicious with it that we could tell. Please let us know if that works for you.
Pingback: Biting the Forbidden Fruit | Koi Scribblings()
davidravenmoon

Here’s the easy way to do this;

force quit Safari. Then when you launch it again hold down the shift key. This will prevent windows from the last session from opening.

This is better than resetting Safari and looking a lot of your settings.
Pingback: On "FBI" "Ransomware" and Macs | Virus / malware / hacking / security news()
https://www.facebook.com/francois.robert.ca François Robért

‘The average Mac computer user will not know how to do many of the solutions posted here and, being non-technical, are the most likely to fall for the scam. The easiest solution for them is not the solution described because ‘Reset Safari’ will lose their name-password combinations, auto-fill data and a host of other things they will fret about for having been lost. Why nuke when a bullet will do?

The easier, and safer solution for the non-technical, is to Force Quit Safari (hold the Option key while selecting Safari in the dock) then, restart Safari while holding the shift key. This will bring them back to their original homepage location without erasing most of their settings.

Much easier to remember, easier to do, and less scary for the less technically inclined.
Pingback: New FBI Malware Scares OS X Users, Asks Them Money | Good Reviews from A to Z()
Pingback: FBI Ransomware Now On Mac OS X, Google Online TV, & More - LogicLounge()
Pingback: FBI Ransomware Hits Mac Users()
Pingback: Cybercriminals Lock Mac OS X Computers with FBI Ransomware – Video | Cyber Security Infotech(P) Ltd()
Pingback: Página falsa secuestra Safari para engañar a usuarios de Mac()
Pingback: badnews.gr - Εμφανίστηκε και στα Mac ο “ιός της Αστυνομίας” και ζητά 300 δολάρια για λύτρα()
Pingback: OS X Users Hit by Ransomware Websites Posing as FBI Notices | What is the iCloud?()
Pingback: TechBoss – OS X Users Hit by Ransomware Websites Posing as FBI Notices()
Pingback: TechBoss – FBI-themed ransomware now affecting OS X users()
Pingback: Εμφανίστηκε και στα Mac ο “ιός της Αστυνομίας” και ζητά 300 δολάρια για λύτρα()
v1car

Also, you can get rid of the page using the following AppleScript:

tell application “Safari”
tell document of window 1 to do JavaScript “document.write(”);”
close window 1
end tell

Or you can open the Error Console (you need to turn on the Develop menu first — it’s in Preferences under “Advanced”) and just type in “document.write(”);” and hit return and then close the window.
Pingback: MakeMac | Pengguna OS X Menjadi Target FBI Ransomware Dan Cara Menghapusnya()
Pingback: Q&A About The Latest HTML Ransomware Affecting Mac OS X users()
Pingback: How to tackle JavaScript-based ransomware sites()
Pingback: Ransomware Websites Posing as FBI Targets Mac OS X -- How to Stop it()
Pingback: How to tackle JavaScriptbased ransomware sites | HaLaPicHaLaPic()
Pingback: Ok I Think i Just Spoke to the FBI on my Computer..()
Pingback: Ransomware targets Mac OS X with "Your browser has been locked" scam()
Pingback: IT-Security-Links – Week 29 | SWITCH Security-Blog()
Pingback: Apple's OS X FBI Ransomware: Going Global | Malwarebytes Unpacked()
Pingback: El Ransomware en HTML se globaliza | infoguridad()
Pingback: Enterprise Cyber Security Earns a Failing Grade | Malwarebytes Unpacked()
Pingback: Apple’s OS X FBI Ransomware Goes Global()
Pingback: Malwarebytes annouces FBI Ransomware Now Targeting Apple’s Mac OS X Users – Dr. Chaos()
Pingback: Ransomware Mac, finto messaggio FBI sequestra Safari - macitynet.it()
Pingback: Ransomware za Apple-ov Mac OS X » Unix Srbija()
Pingback: More JavaScript Ransomware | Orthology.eu()
Pingback: Revisiting the News Release: Friend, Foe or Link Builder | SEO Press()
Pingback: Fingierte FBI-Meldung im Browser: Malware ärgert Mac-Besitzer | ifun.de()
Pingback: Bad Guys Gone Greedy: Multi-Pronged Attacks Found in the Wild | Malwarebytes Unpacked()
Pingback: Bad Guys Gone Greedy: Multi-Pronged Attacks Found in the Wild | Grinnell Computers – Computer Networks, Cabling, Computer Repair, Phone Systems()
Pingback: Ransomware Puts Your System To Work Mining Bitcoins | Malwarebytes Unpacked()
Pingback: Un riscatto anche per i Mac, browser Safari bloccatoamvinfe.com()
Pingback: Phone Scammers Take A Move From The Ransomer's Playbook | Malwarebytes Unpacked()
Pete Holzmann

@Jerome wrote, “I see a lot of sources incorrectly reporting this as a Trojan for OS X. It is not, please read carefully, as it is simply using JavaScript within the browser and preventing the user from closing the window. This means the user is actually not infected (despite what it seems)”
What’s the practical difference? You’ve described exactly how a trojan works. This is malware (does things the user does not want). It remains in their browser until removed. It requires a careful procedure to remove it. That’s how most malware works these days.

The fact that it uses a creative means to “install” itself is immaterial.
Jerome Segura

Hello Pete,

The different with a traditional piece of malware is that the core Operating System is not touched. The majority of malware will try to attach itself for persistence (i.e. when you reboot the machine).
This “malicious JavaScript code” only runs in the browser and other than being an annoyance, it does not actually have a permanent impact on the system.

Does that make sense? Thanks for reading 🙂
Pingback: Employing multiple security layers is now absolutely critical for all businesses – and here is why | SCWOA | Tech Consulting, Info Security, IT and Network Support()
Pingback: Ransomware Puts Your System To Work Mining Bitcoins | 247 Protech()
Pingback: Ransomware demands additional payment to delete criminal records | Malwarebytes Unpacked()
Pingback: Ransomware demands additional payment to delete ‘criminal records’. | Grinnell Computers – Computer Networks, Cabling, Computer Repair, Phone Systems()
https://www.facebook.com/nickolas.w Nick Woods

Hi, I got this page this evening. I clicked on close, got the “do you want to leave this page” message, clicked on yes and it went, no problem, and hasn’t come back. Does that mean I still should reset Safari?
Jerome Segura

Hi Nick,

It sounds like you’re good. Browsers are starting to catch up with this little trick and blocking what looks like endless loops.
Having said that, erasing your browser history every now and again is not a bad idea.

Jerome
Pingback: Businesses Beware the Threat of Ransomware! | Jessica Zeun Consulting()
https://www.facebook.com/edward.beknazarov.5 Edward Beknazarov

just had this happened to me. the same thing, except i’m on linux (zorin OS 6.0) and the browser design looked a little different. but yeah, good thing i didn’t waste 300 bucks on this **** LOL
Pingback: FBI Ransomware Now Targeting Apple’s Mac ...()
Pingback: "Buy $500 antivirus from us," say cyber-criminals | Malwarebytes Unpacked()
https://www.facebook.com/rogelio.valiente Rogelio Valiente G

Hi, i got this yesterday. After a few attempts of clicking on the “leave page”, i decided to force quit the browser. This happened to me on Firefox. I tried to reopen the browser, and the virus was still there. I forced quit the browser again. At the third attempt, it looks like firefox somehow managed to block the page to be reopened, since the error message that “page could not be reopened” appeared. I deleted the browser history and everything seems to be running normal. Can this virus access my persobal information? Do i need to remove it completely from my computer?
Thanks for your help!
Jerome Segura

Hi Rogelio,

This type of threat is not a virus per se. It does not infect your PC like typical malware, but simply tries to block your browser (using HTML, JavaScript). Of course, it would not hurt to scan your computer for malware 🙂
https://www.facebook.com/nathan.duke Nathan Duke

A tutorial for Chrome users (or FrFx, other alt browsers, etc.) would be helpful. Perhaps when I’ve drafted one, I can post a link here? Not everyone on OSX uses Safari, needless to say. But still, thanks for this post – MWBU once again prevented me from needlessly ruining a good pair of jeans. Here’s my stupid tale of stupid stupidity…
I got nailed with this outrageous crap while attempting to watch the new Jared Leto documentary (via Google Chrome). When the page loaded, my eyes got huge, my breathing quick, my brow deeply knitted. I couldn’t believe what I was looking at! I wanted to brush it off as some obvious farce, but **** that sub-sub-domain in the URL string TRICKED ME!!! So I read through the text, $300 in 12 hours, what??? F*ck no that’s extortion, this is illegal horseshit, but **** it looked just legitimate enough to plant that seed of doubt! So I took screen shots, force-quit the browser, and did what I should have done (what everyone should always do when going online) in the first place – started Vidalia and initiated a Tor Network Session* to black-box my packets around the IP detection – which worked fine (there has been no subsequent browser blocking or error prompt weirdness so far) and although this appears to be a superficial, limited-scope “spoof-virus” browser hack, I still need to confirm that my system has not been compromised in any significant way… I gotta admit, even though in almost every prior technology crisis situation I strive to maintain an objective, empirical mindset, the combination of shock & the sliver of plausibility (in light of PRISM etc.) the limbic response of visceral fear & righteous indignation almost defeated my Grumpy Skeptics BS Filter – until I read up on the scam, ultimately landing on what I deemed to be the most reputable site amongst the search results (http://blog.malwarebytes.org/fraud-scam/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/). Thank you MWBU! What a freakin’ relief! Those clever parasitic bastards… I want to applaud their genius as they spin beneath the gallows… –
Pingback: FBI Web Ransom Scam: DO NOT PAY! | Brandingo - Brands Best Friend()
ray1

Question… I have an iphone 4, and just recently received a message on my home screen that my email(s) (it showed both of my email accounts) and FaceTime are connected to the
FBI. It also showed a telephone number that has access to my phone. It gave the option to accept or decline. I declined the request however it still went through.. I happen so quickly that I didn’t think to take a screen shot. I didn’t know if this is real or some type of scam to gain access to my files. Does the FBI ask for permission to gain access to your files?
Pingback: Browser Ransomware hides behind CloudFlare, smartens payment system | Malwarebytes Unpacked()
Pingback: FBI Ransomware trojan now tricking Mac users into paying $300 fines | BaciNews()
Pingback: TechGuides | How to remove ransomware under OS X()
p717

The info is VERY helpful! However, you do not need to reset Safari ASAP if you do not want to or use Java if that is not in your wheelhouse. I found a solution quite by accident! Be sure to have a current email with a website link such as Apple.com, iTunes, eBay, Amazon, etc. handy
1. Force Quit Safari
2. Go to the email and click the link
3. A pop up menu will say you Force Quit Safari ,… do you want to reopen the last Safari window.
4. Click… DON’T ALLOW…Success with a smile. {:-)
Then go and check your System Preferences & Safari Preferences and be sure your Firewall is active and you have deleted cookies etc… reset Safari if you want/need to and be “Cyber Safe”
Pingback: FBI Ransomware Now Targeting Apple’s Mac OS X Users | Adams A Plus Blog()
Pingback: The Scam Hunter: What It’s Like to Track Internet Bad Guys For a Living | Just A Tricks Archive()
Pingback: The Scam Hunter: What It's Like To Track Internet Bad Guys For A Living | Gizmodo Australia()
Pingback: Os caçadores de fraude: como é ganhar a vida caçando os vilões da internet - TabeladeCarros.net()
Pingback: Os caçadores de fraude: como é ganhar a vida caçando os vilões da internet | RemoveWAT SP1()
Pingback: Os caçadores de fraude: como é ganhar a vida caçando os vilões da internet | Tech News()
Pingback: Os caçadores de fraude: como é ganhar a vida caçando os vilões da internet - eXtremeMods - Tecnologia()
Lanny Perry

I am on a mac, I tried to reset safari, this ransomware will not let me do this. the command is unavalible.
Ashram13

Check out some of the other posts here; there are some good tips.

For instance, if you are running Safari and it’s stuck under the ransomware, force quit Safari.

Once the application has quit, press and hold the SHIFT key on your keyboard while you click the Safari icon on the dock. This should force Safari to open to the default home page once it starts up.

Once that’s successful, you may want to reset Safari, checking everything except, perhaps, “Remove saved names and passwords” as well as “Remove other Autofill form text.”

Because you will be deleting cookies, you may still have to re-enter login information for websites you may normally go to.

If you still can’t reset Safari, what you may need to do is go to the App Store, download CCleaner and use it to reset Safari.
Pingback: Hoaxes and Malware Hold Computers Hostage and Demand Ransom | Create Resumes | Find Jobs | FastJobz.Com()
Mikey Mikey

This didn’t work for me. I’ve tried a few times to re-start Safari while holding down the Shift key, and yet still Safari opens up in ‘frozen’ mode with the above screen shot. I therefore can’t follow any of the other instructions to reset Safari. Help, please!
Mikey Mikey

Thanks for the suggestion, but this didn’t work. Any other advice? Help, please! :-/
Mikey Mikey

Here’s what I got:

Result: error “Safari got an error: Can’t get window 1. Invalid index.” number -1719 from window 1
Ashram13

Download CCleaner from the App Store and use that to reset Safari.

If your version of OS X predates the App Store, you will have to download the app from Piriform’s website on a different computer and copy it to a USB thumb drive to transfer and install on your Mac.

If the different computer is running Windows or Linux, you may have to Google “CCleaner Mac” to get to the page where you can download an OS X image of the app.
Mikey Mikey

Thank you so much! On my 20th try or so, I finally quick-fingered the Safari / Reset Safari command so that it worked.
Ashram13

You’re welcome.
dan

my MacBook pro got this fbi ransomware, I tried to close it and it eventually shut down my computer, now it wont accept my password to open safari
Pingback: PSA: Tech Support Scams Pop-Ups on the Rise | Malwarebytes Unpacked()
Pingback: CryptoWall - Backups Can Save Your Data - Medical Data Rx.()
Pingback: Avoid Falling Victim To These Three Ransomware Scams * The New World()
Garrick Boyd

If you don’t want to lose the rest of the windows you have open (I usually have quite a few), launch Safari after disconnecting from your network. Close the offending window, reconnect to network and reload the remaining windows/tabs. Haven’t had to do this, but it should work.
Pingback: Un rançongiciel? C'est quoi ça? - TopoLocal Saint-Jérôme()
jivadas

Some years ago I got a similar message on my laptop,
purporting to be from the RCMP
(the Canadian FBI).
I was then on a public network
and my computer had no password.
They locked me out of my laptop
which I dumped from a nearby bridge.
$400 down the river….

These days I subscribe to Malwarebytes.
Pingback: Pro2col Lab » Technical Advisory: Ransomware Threat()
Ron7624

Scam. This is a scam. Man, I hate a thief.
Ron7624

Reboot in safe mode. Turn off your Mac. When you restart hold down the shift key till you see the apple. Then open safari and the commands will be available. In Preferences clear all data in safari except your website login info. This worked for me on ver 10.10.2 Ysemite.
Man, i hate a frickin thief!
CS

Or just disable Wifi, force quit safari and reopen.
be rowdy

You are a Legend
Gage Ferqueron

This happened on my iPhone 4 and said it was being reviewed and could cost up to 10000! But the difference was it let me close it
Scott Mitchell

You are absolutely correct. This worked for me. Do I have to worry that it is somehow imbedded in my MAC and will pop up once again?
Sunrise250

There is no reset button.
http://fakeagainstthemachine.tumblr.com fake_off

I’m sorry, Jerome – but maybe no one told you. Mac users use browsers other than Safari.

So while I’d like to say I appreciate your article, there’s really nothing to appreciate since this issue happened to me while using Chrome. I’m sure I’m the only one though.
Claudfin

this is the best advise because some times it’s hard to catch the short window you get while the “reset safari” is usable. thanks a million
Pingback: Toledo Notícias – Ransomware: O malware sequestrador()
Tony Shipley

The reset the Safari Browser is built in, and not widely known because it’s so rarely used. The FBI recommendation for PC users is transitioning to just pay them to release your PC. Is it time to consider PC’s as a liability and just use UNIX based computers?
Pingback: Mac-Systeme sind nicht immun gegen Ransomware - botfrei Blog()
Pingback: Are You Ready for Mac Ransomware? - Tweak Your Biz()
Pingback: OSX Ransomware Sold in the Underground - Inteller()
Pingback: OSX Ransomware Offered for Sale in the Underground - iRTW()

RELATED ARTICLES

Exploits | Threat analysis

Citadel: a cyber-criminal’s ultimate weapon?

November 5, 2012 - In old times, a citadel was a fortress used as the last line of defense. For cyber criminals it is a powerful and state-of-the-art toolkit to both distribute malware and manage infected computers (bots). Citadel is an offspring of the (too) popular Zeus crimekit whose main goal is to steal banking credentials by capturing keystrokes...

CONTINUE READING No Comments

Exploits | Threat analysis

Web Exploits: a bright future ahead

January 2, 2013 - The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever. Vulnerabilities are flaws that exist in various programs and that allow someone to...

CONTINUE READING 2 Comments

Exploits | Threat analysis

Zero-Day Java vulnerability wreaks havoc on computers worldwide

January 14, 2013 - Update (1/14/2013) Oracle has issued an emergency patch to be shipped with version 7 update 11. While we are pleased to see a quick turnaround time, we stand by our initial recommendations to disable Java in your browser. This is still the most exploited piece of software and whether it is patched or not still unnecessarily puts you...

CONTINUE READING 1 Comment

Exploits | Threat analysis

New Exploit Kit, Ransomware and AV evasion

March 14, 2013 - Ransomware is still going strong and infecting countless PCs. We happened to stumble upon an interesting sample part of the Urausy family which bypassed detection on all major antivirus products for almost an entire day before slowly being detected. In this post we will give some information on its background (where it came from) and...

CONTINUE READING No Comments

Exploits | Threat analysis

Redkit Exploit Kit does the splits

April 5, 2013 - Exploit Kit authors must really love Java . Not only is it ripe with vulnerabilities but its own language provides a great platform to write and deliver malware in different ways. We are used to seeing encrypted payloads (XOR, AES encryption), applets containing both the exploit itself and the binary payload. Today we will talk...

CONTINUE READING No Comments

ABOUT THE AUTHOR

Jérôme Segura
Lead Malware Intelligence Analyst

Security researcher with a focus on malvertising, exploits, and scams. French; appreciates wine, bread, and cheese.

CATEGORIES

101 Cybercrime Malwarebytes news Security world Threat analysis

TOP POSTS