Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Ransom Attack

jparker402

jparker402

macrumors 6502a
Original poster
Jun 7, 2016
560
54
Bellevue, NE
Have had my new MacBook Pro 14 just a few weeks now, and just had a ransomware attack about two hours ago. Was happily browsing on Safari when a warning took over the screen that my computer had been taken over and whoever this was could help if I didn't turn off the warning but immediately contacted them at a 800 something phone number. Naturally (I guess) I tried to back out (to no avail) and ultimately shut down the computer. I restarted it okay, and then ran Malwarebytes (free version) which showed nothing. My questions are how can that happen when I am not really logged in to anything except Safari browsing, why can't I back out of it, and how can it not show up on Malwarebytes? And, most important I guess, is how do I preclude this again?
 
chrfr

chrfr

macrumors G5
Jul 11, 2009
13,709
7,280
jparker402 said:
Have had my new MacBook Pro 14 just a few weeks now, and just had a ransomware attack about two hours ago. Was happily browsing on Safari when a warning took over the screen that my computer had been taken over and whoever this was could help if I didn't turn off the warning but immediately contacted them at a 800 something phone number. Naturally (I guess) I tried to back out (to no avail) and ultimately shut down the computer. I restarted it okay, and then ran Malwarebytes (free version) which showed nothing. My questions are how can that happen when I am not really logged in to anything except Safari browsing, why can't I back out of it, and how can it not show up on Malwarebytes? And, most important I guess, is how do I preclude this again?
Click to expand...
This sounds like you got a pop up, fake notification that your computer was attacked by ransomware. If the computer starts up fine and your data is still there, your computer didn’t get locked. If you actually called the number and provided any financial or personally identifiable data, you need to contact those financial institutions and tell them that you may have been scammed.
 
  • Like
Reactions: BigMcGuire, George Dawes, Runs For Fun and 2 others
U

unrigestered

Suspended
Jun 17, 2022
879
840
i'm no expert, but i'd guess it was a simple pop up that went through.
Ad-blockers might have stopped this from coming up, but i think you should be fine if you didn't click anything on that pop up and just quit Safari with cmd+ Q.
if malwarebytes didn't find anything that's a good sign

to make sure, you could also check your /Library/LaunchAgents, /Library/LaunchDaemons/ and similar directories inside your home folder for suspicious plists (especially those that might coincide with the date of your encounter)
also Safari for new Safari extensions, or new Launch Objects inside your System Preferences -> Users & Groups, that you haven't put there yourself, even if they might have an unsuspicious name, such as Finder
 
BB1970

BB1970

macrumors 6502
May 19, 2009
449
1,209
That’s happened to my iPad I just close and restart safari and it’s gone. It’s nothing (albeit annoying).
 
chown33

chown33

Moderator
Staff member
Aug 9, 2009
10,999
8,887
A sea of green
jparker402 said:
Have had my new MacBook Pro 14 just a few weeks now, and just had a ransomware attack about two hours ago. Was happily browsing on Safari when a warning took over the screen that my computer had been taken over and whoever this was could help if I didn't turn off the warning but immediately contacted them at a 800 something phone number. Naturally (I guess) I tried to back out (to no avail) and ultimately shut down the computer. I restarted it okay, and then ran Malwarebytes (free version) which showed nothing.
Click to expand...
The general term for this is "scareware".
en.wikipedia.org

Scareware - Wikipedia

en.wikipedia.org en.wikipedia.org

jparker402 said:
My questions are how can that happen when I am not really logged in to anything except Safari browsing, why can't I back out of it, and how can it not show up on Malwarebytes? And, most important I guess, is how do I preclude this again?
Click to expand...
The short answer to all these questions is: "The warning you received was lying."

If we treat the warning as a lie (a deliberate deception), and trust that Safari provides some protection from browser-based attacks, then everything else makes sense. Malwarebytes didn't find anything, because there was nothing to find (the warning was a lie).

You couldn't back out of it because JavaScript in most browsers is capable of blocking a "go back" action. You should still be able to close the window or tab, though. If the warning told you not to do this, it was lying.

One way to avoid this in the future is to not revisit the website where it just happened. Apparently, either their site has been compromised by someone who inserted scareware, or perhaps it's their own "feature" which supplements their income, i.e. the site itself is lying about its content.
 
  • Like
Reactions: chabig, Brian33, HDFan and 1 other person
K

KaliYoni

macrumors 68000
Feb 19, 2016
1,794
3,945
chown33 said:
One way to avoid this in the future is to not revisit the website where it just happened. Apparently, either their site has been compromised by someone who inserted scareware, or perhaps it's their own "feature" which supplements their income, i.e. the site itself is lying about its content.
Click to expand...
Another way malware, scareware, and viruses can spread is through ad banners.

Ad banners can be an attack pathway, even on mainstream websites, because ad space is commonly sold and filled by companies that have no affiliation with a website or the website's primary ad supplier. In other words, the ad space on your favorite website may be managed by Google's ad network. And in turn, Google may fill the space with ads Google sold or with ads sold by other ad networks, many of which are unscrupulous or uncaring about security.

----------
ETA: I have a utility, RansomWhere?, that was developed by a respected authority on Mac security, Patrick Wardle. It is not for everybody; if you are not prepared to interpret and allow/disallow the warnings it puts up, you probably are better off without it. But I like it and have been using it without any negative experiences for a long time.

Also, anybody who is relying solely on the built-in macOS security tools (XProtect, XProtectRemediator, Gatekeeper, and MRT) should not use any version of macOS prior to Catalina. Here's why:
and
eclecticlight.co

Last Week on My Mac: Is your Mac still secure from malware?

If you’re still running macOS Mojave or earlier, now is the time to take action to ensure your Mac maintains protection against malware.
eclecticlight.co eclecticlight.co

Note that Apple is very opaque about which threats are stopped by the macOS tools. It is difficult to confirm or deny the extent to which macOS stops ransomware.
----------
ETA 2: Good advice from Howard Oakley.
"If this article does nothing else, please take the opportunity to check that your Macs are fully up to date and that their protection is functioning properly. Although that’s far from simple in macOS, you’ll find third-party tools like my own SilentKnight, silnite and XProCheck a good start. And they’re completely free to use, and have no annoying habits."
eclecticlight.co

How macOS leaves users vulnerable, and unaware of their vulnerability

John clicked on the wrong email, and suspected something malicious. From there on, nothing went right. He couldn’t even check macOS protection. A salutary tale.
eclecticlight.co eclecticlight.co
 
Last edited:
  • Like
Reactions: chown33
Beefbowl

Beefbowl

macrumors regular
Mar 28, 2021
117
121
Ransomware tends to encrypt your data, drop a text file on your desktop with instructions on paying the ransom, and THEN put up a pop-up screen telling you that it’s encrypted your stuff. Not much point to telling you before the fact.

One other thing ransomware tends to do is delete itself before popping up the extortion message. It’s very rare for ransomware to still be on a system after the attack has happened, so a malware scan after it happens might legitimately find nothing. As long as your documents are still accessible, I agree with the folks telling you that it is likely a scam.
 
  • Like
Reactions: EedyBeedyBeeps and KaliYoni
T

theorist9

macrumors 68040
May 28, 2015
3,881
3,060
jparker402 said:
Thank you everyone for the valuable information!
Click to expand...
Also, in case you're not doing so already, you should run nightly backups to an external hard drive (and ideally, also have a backup in an off-site location in case of fire or theft). That will keep you protected in the (unlikely) event that you actually are subjected to ransomware--just disable the nightly backup (you don't want to copy over the ransomware and contaminate your backup), wipe your machine, and restore from the backup. It will of course also protect you from more mundane disasters, like if you lose your MBP outside of your home. I recommend Carbon Copy Cloner for this.
 
  • Like
Reactions: George Dawes
Fishrrman

Fishrrman

macrumors Penryn
Feb 20, 2009
29,243
13,318
I reckon this was a "false alarm".

Keep using MalwareBytes.

I'd also suggest a good ad blocking app.
My recommendation is "AdGuard".
 
  • Like
Reactions: BigMcGuire
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom