Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Ransomware Kalunga Russia iCloud Hack

My iCloud account was hacked by source supposedly from Kalunga Russia. My MacBook Pro and iMac desktop both show a lockout screen on start up and ask for a four digit PIN on my MacBook and a six digit PIN on my iMac Desktop. It says to email apple.device@gmx.com


There are reported fixes on REDDIT stating that resetting the PRAM / NVRAM by rebooting three times with the OPTION COMMAND P R keyboard combination will unlock the computer. I tried this and it does to work.


macosx - MacOS Ransomware with EFI Lock - Information Security Stack Exchange


Obviously someone has figured out how to hack into iCloud accounts bypassing two factor identification. This is a serious problem and Apple seems to be ignoring it as there is no information form Apple as to how to fix the problem or prevent icon accounts from being hacked. I assume Apple does not want to admit to security weaknesses.


If anyone has any information about this please post.


Message was edited by: mirvine1

MacBook, Mac OS X (10.5.4), MacBook / Powerbok G4 / iBook / iMac G3's / Airport Express / As

Posted on Aug 5, 2017 8:12 AM

Reply
Question marked as Best reply

Posted on Aug 5, 2017 12:44 PM

If this happened to you, they knew both your Apple ID and password. No other way for it to happen. It is/was not a hack of iCloud.


If you go to icloud.com and use your Apple ID AND your current password for a 2FA enabled account, the prompt for the verification code will pop up. You will also see an icon for Find My Device, which can be used without the verification code.


This allows users to place their devices in Lost Mode or for a Mac, add a firmware password, without the verification code. Just click the Find My ... icon.


User uploaded file


This is not a hack. You can't do this without the password.



This is a firmware password that was placed on your Macs. You should have received an email when it happened and your Macs rebooted spontaneously.


User uploaded file

There is no workaround. You must present your Macs at an AASP or ARS with your proof of ownership and they will unlock them.

User uploaded file


Use a firmware password on your Mac - Apple Support


There are reported fixes on REDDIT stating that resetting the PRAM / NVRAM by rebooting three times with the OPTION COMMAND P R keyboard combination will unlock the computer. I tried this and it does to work.

Not any more. In previous, less secure versions of OSX, this was possible.

53 replies
Question marked as Best reply

Aug 5, 2017 12:44 PM in response to mirvine1

If this happened to you, they knew both your Apple ID and password. No other way for it to happen. It is/was not a hack of iCloud.


If you go to icloud.com and use your Apple ID AND your current password for a 2FA enabled account, the prompt for the verification code will pop up. You will also see an icon for Find My Device, which can be used without the verification code.


This allows users to place their devices in Lost Mode or for a Mac, add a firmware password, without the verification code. Just click the Find My ... icon.


User uploaded file


This is not a hack. You can't do this without the password.



This is a firmware password that was placed on your Macs. You should have received an email when it happened and your Macs rebooted spontaneously.


User uploaded file

There is no workaround. You must present your Macs at an AASP or ARS with your proof of ownership and they will unlock them.

User uploaded file


Use a firmware password on your Mac - Apple Support


There are reported fixes on REDDIT stating that resetting the PRAM / NVRAM by rebooting three times with the OPTION COMMAND P R keyboard combination will unlock the computer. I tried this and it does to work.

Not any more. In previous, less secure versions of OSX, this was possible.

Aug 12, 2017 3:46 AM in response to Winston Churchill

I had the exact same hack done to me last night. Same thing, saw a weird trying to access my iCloud. Say don't allow, reset my password, didn't think anything else of it. In the morning my work iMac was locked, @GMX email address there. And my older laptop was also locked. (Going to try the PR Ram reset as it's a older laptop (2009)). Took my work iMac into apple care to get unlocked.


I've since set up 2FA, it wasn't set up last night, but I don't use my iCloud password on any other devices and I'm pretty vigilant for phishing scams.


This is happening to other people right now as well.


Locked Macbook and Hacked appleID

Aug 13, 2017 9:50 AM in response to LACAllen

To expand on this answer. What @LACAllen is trying to get across is with only your password someone can login into iCloud.com website and turn on 'Lost Mode'. You can turn it off as long as you still have the correct password. To see how to turn it off look at Find My iPhone: Use Lost Mode see 'Turn off Lost Mode...'.



On another note please see If you think your Apple ID has been compromised - Apple Support as it states 'Your device was locked or placed in Lost Mode by someone other than you.'

Aug 11, 2017 7:03 AM in response to Winston Churchill

Sorry but you are wrong. I have two factor ID enabled. They hackers were able to access my iCloud and bypass the two factor ID process, i.e. I did not reply to a six digit code being sent to my iPhone.


Furthermore the only way they could have iCloud user name and password was to have hacked my Macbook iCloud while I was on the internet and fished it out of my Contacts. I have never downloaded anything from bit torrent.

Aug 11, 2017 8:03 AM in response to mirvine1

if you are using the same user pass for your Apple ID as you are using for any other service and that service gets hacked then you gave a hacker an opportunity to simply try those same credentials at Apple.


If you arrange with Apple beforehand an Apple Store may be able to remove the firmware lock. It's possible that the data is still available to you, if not hopefully you have a backup.

1-800-MY-APPLE

apple.com/contact

Aug 11, 2017 8:48 AM in response to Winston Churchill

As I stated in my original post. I received a message from Apple stating that someone was trying to access my iCloud from Kalunga Russia. I denied that access. i did not receive any two factor ID request at that time. Immediately after that my Laptop went into lockout mode. I was able to access my iCloud form another computer at a different location and my laptop and desktop, which was never turned on during this episode, were both listed in iCloud as locked out. I changed my password immediately but my laptop and desktop remain locked out even though they no longer show as locked on iCloud. I use different id's and passwords for every online account I have.


.

Aug 12, 2017 3:55 AM in response to Eric Weiner

I've since set up 2FA, it wasn't set up last night

I think people are missing the point here. What is happening has nothing to do with 2FA, it's not a 2FA failing or something that using 2FA can protect you from. The purpose of 2FA is to protect access to the data in your account, these malicious events are aimed at disabling your device.

Aug 12, 2017 11:19 AM in response to mirvine1

So it was a hack as I do not give out this information.


But yet they had it. Call it what you want. Use whatever phrase makes you happy.


This locking of your device can't happen without your Apple ID *AND* current password.


but how did they do this unless they hacked my MacBook or iCloud, the only two places I store this information ?

You are not locked out of your iCloud account are you? Why hack it and not take it over?

Aug 13, 2017 10:23 AM in response to LACAllen

No you miss understand what I'm getting at. What my point is as long as you still have the password to Apple ID you can just log into iCloud.com and turn off 'Lost Mode'. You don't need the passcode created with 'Lost Mode'. It stated in the article that was linked.

Aug 13, 2017 6:03 PM in response to LACAllen

This happened to me overnight. apple support had me reset my phone from iTunes and attempt to erase it as well as turn off lost mode but all will not occur until my phone connects to the internet-which i cannot do because my phone is locked-any assistance anyone can offer? Spent at least 4 hours on the phone with apple minimum still no resolve.

Aug 13, 2017 6:14 PM in response to Miamoo0110

What happens when you enter your known passcode on the device itself?


If you have removed the passcode via iTunes, you may have removed the only way to resolve this. Now you must know your Apple ID and password, but not until your device is online.


until my phone connects to the internet-which i cannot do because my phone is locked-any assistance anyone can offer?

This should not prevent your phone from using cellular data or connecting to a previous wifi network. Is the SIM card not in it?


What can't you sign in to iCloud.com with your Apple ID and password?

Ransomware Kalunga Russia iCloud Hack

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.