What to do when ransomware strikes your Mac

Glenn Fleishman
25 October, 2017
View more articles fromthe author

When ransomeware strikes, it’s hard not to panic. A ransomware attack may cause your Mac to shut down and then restart into a lock screen. A message appears, demanding ransom to provide a six-digit unlock code, which can’t be bypassed. This can occur even with two-factor authentication enabled.

Crackers appear to be making use of passwords from other sites that have had password breaches in the past—and iCloud accountholders re-use those passwords with their iCloud account. With Find My Mac enabled and your password, a criminal can log into iCloud.com and use Find My Mac (even without confirming with a second factor) to put your Mac into Lock mode with a six-digit code they create. Lock mode restarts a Mac into Recovery and locks out a normal boot.

Paying the ransom is inadvisable, because not all extortionists honor the terms, and there’s a workaround. I recommend the following:

  • Bring your Mac to any Apple authorized service center—Apple Stores and third parties—as they can unlock it from Lost mode if you provide proof of purchase.
  • Even before you take your Mac in, change your password for iCloud.
  • Enable two-factor authentication if you haven’t already. It doesn’t help with this crack, but will prevent any further access to your account if someone obtained the password.

iOS isn’t susceptible to this with its Lost Mode in Find My iPhone/iPad, unless you have no passcode set. In that case, a criminal can set a four-digit code and lock you out of your phone or tablet.

If this attack seems familiar, it’s because it was previously used in 2014.

Leave a Comment

Please keep your comments friendly on the topic.

Contact us