Ransomware Kalunga Russia iCloud Hack

If this happened to you, they knew both your Apple ID and password. No other way for it to happen. It is/was not a hack of iCloud.

If you go to icloud.com and use your Apple ID AND your current password for a 2FA enabled account, the prompt for the verification code will pop up. You will also see an icon for Find My Device, which can be used without the verification code.

This allows users to place their devices in Lost Mode or for a Mac, add a firmware password, without the verification code. Just click the Find My ... icon.

This is not a hack. You can't do this without the password.

This is a firmware password that was placed on your Macs. You should have received an email when it happened and your Macs rebooted spontaneously.

There is no workaround. You must present your Macs at an AASP or ARS with your proof of ownership and they will unlock them.

Use a firmware password on your Mac - Apple Support

There are reported fixes on REDDIT stating that resetting the PRAM / NVRAM by rebooting three times with the OPTION COMMAND P R keyboard combination will unlock the computer. I tried this and it does to work.

Not any more. In previous, less secure versions of OSX, this was possible.

I had the exact same hack done to me last night. Same thing, saw a weird trying to access my iCloud. Say don't allow, reset my password, didn't think anything else of it. In the morning my work iMac was locked, @GMX email address there. And my older laptop was also locked. (Going to try the PR Ram reset as it's a older laptop (2009)). Took my work iMac into apple care to get unlocked.

I've since set up 2FA, it wasn't set up last night, but I don't use my iCloud password on any other devices and I'm pretty vigilant for phishing scams.

This is happening to other people right now as well.

Locked Macbook and Hacked appleID

To expand on this answer. What @LACAllen is trying to get across is with only your password someone can login into iCloud.com website and turn on 'Lost Mode'. You can turn it off as long as you still have the correct password. To see how to turn it off look at Find My iPhone: Use Lost Mode see 'Turn off Lost Mode...'.

On another note please see If you think your Apple ID has been compromised - Apple Support as it states 'Your device was locked or placed in Lost Mode by someone other than you.'

Yes, that's incorrect. The passcode used by a remote Find my Mac lock is different from the EFI firmware password. In fact, there's some indication that they can conflict in an unpleasant manner in some cases. Note the mention of the EFI password here:

iCloud: Lock and track your device using Lost Mode

I suspect this has nothing to do with iCloud and that you were likely just too sloppy with your approach to security. Ransomware is typically downloaded alongside other software or invited onto the computer by the owner from an email. A favourite source of such ransomware is from downloading bit-torrent applications.

if you are using the same user pass for your Apple ID as you are using for any other service and that service gets hacked then you gave a hacker an opportunity to simply try those same credentials at Apple.

If you arrange with Apple beforehand an Apple Store may be able to remove the firmware lock. It's possible that the data is still available to you, if not hopefully you have a backup.

1-800-MY-APPLE

apple.com/contact

I've since set up 2FA, it wasn't set up last night

I think people are missing the point here. What is happening has nothing to do with 2FA, it's not a 2FA failing or something that using 2FA can protect you from. The purpose of 2FA is to protect access to the data in your account, these malicious events are aimed at disabling your device.

So it was a hack as I do not give out this information.

But yet they had it. Call it what you want. Use whatever phrase makes you happy.

This locking of your device can't happen without your Apple ID *AND* current password.

but how did they do this unless they hacked my MacBook or iCloud, the only two places I store this information ?

You are not locked out of your iCloud account are you? Why hack it and not take it over?

Thanks, but one small correction..

trying to get across is with only your password someone can login into iCloud.com website and turn on 'Lost Mode'.

This is your Apple ID's password.

You can turn it off as long as you still have the correct password.

This is your device's passcode.

2 different things.

No you miss understand what I'm getting at. What my point is as long as you still have the password to Apple ID you can just log into iCloud.com and turn off 'Lost Mode'. You don't need the passcode created with 'Lost Mode'. It stated in the article that was linked.

This happened to me overnight. apple support had me reset my phone from iTunes and attempt to erase it as well as turn off lost mode but all will not occur until my phone connects to the internet-which i cannot do because my phone is locked-any assistance anyone can offer? Spent at least 4 hours on the phone with apple minimum still no resolve.

What happens when you enter your known passcode on the device itself?

If you have removed the passcode via iTunes, you may have removed the only way to resolve this. Now you must know your Apple ID and password, but not until your device is online.

until my phone connects to the internet-which i cannot do because my phone is locked-any assistance anyone can offer?

This should not prevent your phone from using cellular data or connecting to a previous wifi network. Is the SIM card not in it?

What can't you sign in to iCloud.com with your Apple ID and password?