FBI Ransomware Now Targeting Apple’s Mac OS X users has received a lot of attention. Perhaps because we seldom hear about Mac users having to deal with malware; not that it does not happen because it certainly does. When it occurs, everyone wants to know about it.
Although this post is regarding Mac malware, just as a side note:
PC users need to be very careful, There is more mentioned in the Q&A section below.
It still manages to appear as though it did in fact block your computer and will generally be convincing enough to make you want to pay several hundred dollars to get your data back
Now, let’s answer your questions.
Q. Why did you call it ransomware for the Mac? It also works on Windows?
A. That is correct, it will run on pretty much all browsers Windows or OS X. However, Windows users are normally served a drive-by download and getting a full (and real) computer lock. Currently Mac users do not have to worry about that. The bad guys are using social engineering to convince you to "pay up".
Q. Does this ransomware actually infect my Mac? Is it an exploit?
Q. If I get rid of the ransom page, is my computer still infected after that?
A. At least for Mac users, once it’s closed, you’re good to go. Of course, doing a backup of your data, cleaning up of unused apps and files, and running security scan is always a good idea. Currently Windows users may have more to worry about. There is ransomeware for Windows which is very real, although, once again, the first iteration of that specific page appears to be exploit-free for both windows and Mac.
Q. Are Macs finally vulnerable to malware?
We always tell our clients. You are your first line of defense, your antivirus is just your assistant. There is malware out there for Mac, although nowhere near the amount for Windows. There were many more Windows computers than apple for a long time so the bad guys tend to target where they are going to get the best and fastest results Apple products are gaining in popularity. Guess what the bad guys are going to do.
Q. Does this work on other browsers as well, beside Safari?
A. Nothing really. The same code is published on multiple web developer forums. The bad guys simply copied, pasted it and made a few adaptations.
Q. How can I avoid this attack?
A. You can reduce the likelihood of it happening by avoiding sites serving pornography, torrents, game cracks, live streaming of copyrighted movies, etc. There is no guarantee you will avoid it but better surfing practices will greatly reduce your risk.
Q. Could this have been blocked by an anti-malware product?
A. Simply put. Probably not. This generally isn't a problem with your anti-malware product. More research on why not all malware / viruses not blocked can easily be found doing a Google search - too large a topic for this thread.
A. Are there ways of getting rid of the ransom page?
Q. Where are these sites hosted?
A. Malwarebytes has traced them back to an IP address (18.104.22.168) in Russia
A. Will this ransomware work on iOS?
Q. Not as far as we can see. Please remember this info is at the time of this post We tested it on an iPhone and iPad using the site's address and could not replicate the same behavior.