Faux FBI Ransomware Targeting OS X Users

The FBI alerted users about a strain of ransomware targeting Mac OS X machines.

The Federal Bureau of Investigation issued an alert yesterday warning users about a strain of ransomware purporting to come from the FBI that is targeting Mac OS X machines.

This time, the ransomware isn’t malware at all, but a website that uses JavaScript to load numerous iframes. The webpage requires victims to close each iframe before carrying on with their surfing. The site is more of a nuisance than anything, but attackers hope their victims will pay the ransom – $300 – before they realize that all of the iframes need to be closed to move on.

Victims are usually infected after browsing common websites, and/or querying popular search terms, according to the FBI’s Internet Crime Complaint Center (IC3) in a statement on Thursday.

As the user is being plagued by iframes, a pop-up warning appears. Much like previous strains of FBI-themed malware, this warning mimics the agency by using FBI.gov in the pop-up’s URL to make it seem more legit.

The FBI points out, since it isn’t malware per se, it’s easier to get rid of by following these instructions:

The simplest way to remove the ransomware’s iframes is by clicking on the Safari menu and choosing “reset Safari,” make sure all check boxes are selected, or hold down the Shift key while relaunching Safari. This will prevent Safari from reopening windows and tabs from the previous session. Victims can also disable the reopening feature across OS X from the General pane of System Preferences.

This type of malware surfaced in late May last year under the moniker of Citadel/Reveton and threatened victims that the Department of Justice’s “Computer Crime & Intellectual Property Section” had identified for accessing illegal content. For $100, the victim could shake the messages, but the malware would continue to lurk on their machines, to commit online banking and credit card fraud.

The malware eventually incorporated the FBI’s IC3 in November, adapting Citadel and Reveton to appear more legitimate, warning victims that their computer activity was being “recorded by audio, video, and other devices,” according to an FBI advisory last year.

While a Microsoft sting largely disrupted the Citadel botnet last month, it’s clear some variants are still thriving and criminals are still devoting time to diversifying attack vectors.

Image via Malwarebytes Unpacked

Suggested articles