Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on July 16, 2013

New OS X malware holds Macs for ransom, demands $300 fine to the FBI for ‘viewing or distributing’ porn


New OS X malware holds Macs for ransom, demands $300 fine to the FBI for ‘viewing or distributing’ porn

A new piece of malware is targeting OS X to extort money from victims by accusing them of illegally accessing pornography. Ransomware typically uses claims of breaking the law and names law enforcement (such as the CIA or FBI) to scare victims, but it is usually aimed at Windows users, not Mac users.

For those who don’t know, ransomware is malware which restricts access to the computer it infects, spamming the user with prompts that demand a ransom paid for functionality to be reinstated. Access is limited either by encryption or locking the system.

The security firm Malwarebytes first spotted this latest threat, noting that criminals have ported the ransomware scheme to OS X and are even exploiting a Safari-specific feature. The ransomware page in question gets pushed onto unsuspecting users browsing high-trafficked sites as well as when searching for popular keywords:

ransomware1

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

The address bar shows a URL clearly attempting to dupe the user: fbi.gov.id657546456-3999456674.k8381.com. The warnings, which appear to be from the FBI, tell the victim the following:

You have been viewing or distributing prohibited Pornographic content (Child Porno photos and etc were found on your computer)… To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.

Choosing to ignore the message doesn’t do much good as attempting to close the page will result in multiple prompts trying to keep the user there. Clicking the “Leave Page” button doesn’t work and neither does attempting to “force quit” the browser.

ransomware2

This is because the same ransomware page will load when starting Safari again as the malware in question leverages the browser’s “restore from crash” feature, which loads the last URL visited before it quit unexpectedly. Thankfully, the good guys at Malwarebytes have put together a YouTube video to explain how to remove the threat:

For those who fall for this or any other scheme, never pay the ransom. If you don’t know how, have a friend clean out your computer.

See also – Criminals push ransomware hosted on GitHub and SourceForge pages by spamming ‘fake nude pics’ of celebrities and Cybercriminals could make some $394K a month with malware that demands ransom from victims

Top Image Credit: Darren Deans

Get the TNW newsletter

Get the most important tech news in your inbox each week.