Ransomware Kalunga Russia iCloud Hack

It's a firmware lock..Apple will not provide a solution. Due to the fact that it is suppost to work like this. They can't get to your data. The only thing is you can't either due to the firmware lock.

The only thing you can do is bring the original reciept and go to an Apple store. They will get a new firmware code and this will unlock your device.

I find it very improbable that the hackers "guessed" my password or phished it from me... this has to be either an Apple authentication weakness or they somehow are intercepting login details from the official Apple sites/server.

But yet that is the only way this could have happened to you.

They *had* your Apple ID AND password. Signing in to iCloud.com, as described by be earlier in this conversation, with screenshots, on a 2FA enabled Apple ID allows one to bypass the verification code filed and get to Find My device. There, you can place a firmware lock on a Mac, or enable Lost Mode on an iOS device.

I find it importable that you are the first victim of an Apple account server hack as you suggest. I would think a hack of Apple IDs and passwords, a la Equifax, Yahoo etc. would have been in the papers.

The prevention of this is to not enable Find My Mac if you don't also have a firmware password in place. If there is one present, this "hack" can't be utilized.

Same happened to me. Received a notification on my iPad that someone from Kaluga, Russia was attempting to access my iCloud and I hit "deny"... A few minutes after that my iMac powered down and came up with a lock screen asking for a 6 digit PIN, and displaying an official-looking but fake email address to contact. I had two-factor authentication enabled, that's how I knew the attempt took place from Kaluga, Russia because the two-factor authentication popup on my iPad showed it to me on a map and I pushed "deny" but they have evidently found a way past it. I created this iCloud account just a couple weeks ago, used a secure password with random letters and numbers, and have not entered my iCloud password anywhere except the official Apple website and in iTunes and on my iPad. I find it very improbable that the hackers "guessed" my password or phished it from me... this has to be either an Apple authentication weakness or they somehow are intercepting login details from the official Apple sites/server.

This exact thing has happened to me as well on my Mac at home. I also have the 2 Factor authentication. I have been on the phone with Apple technical support multiple times. They have turned it over to their engineering department as highest priority, as it does seem to be a new hack through iCloud. There is no longer a button in my iCloud to unlock or do anything to my Mac other than play a sound to locate or remove from account.

Same happened to me. Received a notification on my iPad that someone from Kaluga, Russia was attempting to access my iCloud and I hit "deny"... A few minutes after that my iMac powered down and came up with a lock screen asking for a 6 digit PIN, and displaying an official-looking but fake email address to contact. I had two-factor authentication enabled, that's how I knew the attempt took place from Kaluga, Russia because the two-factor authentication popup on my iPad showed it to me on a map and I pushed "deny" but they have evidently found a way past it. I created this iCloud account just a couple weeks ago, used a secure password with random letters and numbers, and have not entered my iCloud password anywhere except the official Apple website and in iTunes and on my iPad. I find it very improbable that the hackers "guessed" my password or phished it from me... this has to be either an Apple authentication weakness or they somehow are intercepting login details from iTunes/iCloud or the Apple website.

I just experienced the same thing with my husbands iPhone. My daughter was on her iPad which is on the same account as my husbands and it popped up someone in Russia was trying to use it and he pushed not allowed. Then his phone was put into lost mode along with my other daughters iPad with a passcode. It was weird that the iPad my daughter was on wasn't put into lost mode. All 3 devices are on the same account. We couldn't get into his iCloud at first the password was changed then after we finally did and turned off lost mode and had to erase it to get the passcode off. After we did that to the phone the passcode disappeared on the iPad without erasing it. Then we went to restore the phone after we did we noticed everything was gone from his iCloud. They erased it and all the backups were gone and there is nothing on his iTunes. I was not happy when I came home to find out it happened and he emailed the people that did it from my computer. I hope there is nothing on it and he used an my e-mail that I only use for a few specific important things. So I didn't pay attention to who sent the e-mail to me and opened it on my phone.

Something similar happened to me October 2. My iphone alarm to wake me up didn't go off so I checked my iphone and the first display on the screen was that it was put into lost mode. The message said to contact an email, which was made to look like an Apple email but it wasn't, it ended with @post.com. I cancelled that and entered my iphone PIN and then a notification screen appeared requesting access to my Apple ID/icloud account for use in Russia (not where i was). I clicked don't allow. I use two factor authentication for account security. I also had 2 emails from FMiP saying my iphone was put into lost mode and then it was found, both sent at the same time stamp after i was sleeping. I had 1 email saying my Apple ID was used to sign into icloud via a web browser, same time stamp as the 2 FMiP emails.

I contacted Apple today to verify account security and they said my account was not breached and was secure. I'm calling BS on that as my iphone was put into lost mode and email was sent saying my icloud was accessed after i was sleeping.

How was that possible since I had 2 factor authentication enabled?

Well, i didn't see there were 4 pages to this thread and didn't read page 1 until posting. So, you don't need the 2 factor authentication to put your devices into lost mode...just need Apple ID and password. I tried it myself and it worked. As far as locking them out, not sure, I was fortunate not to have that problem.

I tried it myself and it worked.

I wouldn't expect anything else, otherwise, how would you lock your device if you'd lost your only trusted device that used your only trusted number.

Your account is perfectly safe just as Apple said and 2FA has done its job.

If this happened to you, they knew both your Apple ID and password. No other way for it to happen. It is/was not a hack of iCloud.

If you go to icloud.com and use your Apple ID AND your current password for a 2FA enabled account, the prompt for the verification code will pop up. You will also see an icon for Find My Device, which can be used without the verification code.

This allows users to place their devices in Lost Mode or for a Mac, add a firmware password, without the verification code. Just click the Find My ... icon.

This is not a hack. You can't do this without the password.

This is a firmware password that was placed on your Macs. You should have received an email when it happened and your Macs rebooted spontaneously.

There is no workaround. You must present your Macs at an AASP or ARS with your proof of ownership and they will unlock them.

Use a firmware password on your Mac - Apple Support

There are reported fixes on REDDIT stating that resetting the PRAM / NVRAM by rebooting three times with the OPTION COMMAND P R keyboard combination will unlock the computer. I tried this and it does to work.

Not any more. In previous, less secure versions of OSX, this was possible.

I had the exact same hack done to me last night. Same thing, saw a weird trying to access my iCloud. Say don't allow, reset my password, didn't think anything else of it. In the morning my work iMac was locked, @GMX email address there. And my older laptop was also locked. (Going to try the PR Ram reset as it's a older laptop (2009)). Took my work iMac into apple care to get unlocked.

I've since set up 2FA, it wasn't set up last night, but I don't use my iCloud password on any other devices and I'm pretty vigilant for phishing scams.

This is happening to other people right now as well.

Locked Macbook and Hacked appleID

To expand on this answer. What @LACAllen is trying to get across is with only your password someone can login into iCloud.com website and turn on 'Lost Mode'. You can turn it off as long as you still have the correct password. To see how to turn it off look at Find My iPhone: Use Lost Mode see 'Turn off Lost Mode...'.

On another note please see If you think your Apple ID has been compromised - Apple Support as it states 'Your device was locked or placed in Lost Mode by someone other than you.'

Yes, that's incorrect. The passcode used by a remote Find my Mac lock is different from the EFI firmware password. In fact, there's some indication that they can conflict in an unpleasant manner in some cases. Note the mention of the EFI password here:

iCloud: Lock and track your device using Lost Mode

I suspect this has nothing to do with iCloud and that you were likely just too sloppy with your approach to security. Ransomware is typically downloaded alongside other software or invited onto the computer by the owner from an email. A favourite source of such ransomware is from downloading bit-torrent applications.