You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

💡 Did you know?

⏺ If you can't accept iCloud Terms and Conditions... Learn more >

⏺ If you don't see your iCloud notes in the Notes app... Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Ransomware Kalunga Russia iCloud Hack

My iCloud account was hacked by source supposedly from Kalunga Russia. My MacBook Pro and iMac desktop both show a lockout screen on start up and ask for a four digit PIN on my MacBook and a six digit PIN on my iMac Desktop. It says to email apple.device@gmx.com


There are reported fixes on REDDIT stating that resetting the PRAM / NVRAM by rebooting three times with the OPTION COMMAND P R keyboard combination will unlock the computer. I tried this and it does to work.


macosx - MacOS Ransomware with EFI Lock - Information Security Stack Exchange


Obviously someone has figured out how to hack into iCloud accounts bypassing two factor identification. This is a serious problem and Apple seems to be ignoring it as there is no information form Apple as to how to fix the problem or prevent icon accounts from being hacked. I assume Apple does not want to admit to security weaknesses.


If anyone has any information about this please post.


Message was edited by: mirvine1

MacBook, Mac OS X (10.5.4), MacBook / Powerbok G4 / iBook / iMac G3's / Airport Express / As

Posted on Aug 5, 2017 8:12 AM

Reply
Question marked as Top-ranking reply

Posted on Aug 5, 2017 12:44 PM

If this happened to you, they knew both your Apple ID and password. No other way for it to happen. It is/was not a hack of iCloud.


If you go to icloud.com and use your Apple ID AND your current password for a 2FA enabled account, the prompt for the verification code will pop up. You will also see an icon for Find My Device, which can be used without the verification code.


This allows users to place their devices in Lost Mode or for a Mac, add a firmware password, without the verification code. Just click the Find My ... icon.


User uploaded file


This is not a hack. You can't do this without the password.



This is a firmware password that was placed on your Macs. You should have received an email when it happened and your Macs rebooted spontaneously.


User uploaded file

There is no workaround. You must present your Macs at an AASP or ARS with your proof of ownership and they will unlock them.

User uploaded file


Use a firmware password on your Mac - Apple Support


There are reported fixes on REDDIT stating that resetting the PRAM / NVRAM by rebooting three times with the OPTION COMMAND P R keyboard combination will unlock the computer. I tried this and it does to work.

Not any more. In previous, less secure versions of OSX, this was possible.

53 replies

Aug 13, 2017 6:14 PM in response to mirvine1

This happened to me overnight. apple support had me reset my phone from iTunes and attempt to erase it as well as turn off lost mode but all will not occur until my phone connects to the internet-which i cannot do because my phone is locked-any assistance anyone can offer? Spent at least 4 hours on the phone with apple minimum still no resolve.

Aug 13, 2017 6:17 PM in response to LACAllen

That's the weird thing is i am connected to cellular data-but we were doing it from my iPad which is not on my cellular network so maybe that's why it needs wifi? I'm not sure. I have access to my iPad now, Apple ID and I cloud. It's just my cellphone that I cannot unlock. If I type in my passcode it says it's wrong and disables my phone for 15 min

Aug 15, 2017 8:17 AM in response to mirvine1

Same thing happened at my office. We saw someone trying to remote in from kalunga russia on a co-workers laptop while in a meeting and she hit deny access. her computer immediately restarted and the locked page showed up on both her computer and phone. she had 2step activated and it was the only place she used the password. she has never given her password to anyone because she has Icloud password login enabled. watching it happen i have to agree and say somehow hackers found a vulnerability very recently because while researching this most of the kalunga hacks started in July.

Aug 16, 2017 5:43 AM in response to lilacien

lilacien wrote:


Well time will tell as more people "suddenly" don't know how to protect their devices.

Sorry, that's just more nonsense.


If you set a strong password, don't use it for anything else and don't disclose it, you are really pretty much secure.


However, having done so, if you want to protect against the unlikely scenario of someone being able to guess your password and lock your device, just ensure you've already set a lock, so the lock that gets applied to your device is one you already know. Admittedly setting a firmware lock on a Mac is a little more complicated than setting a screen-lock on a phone, but it still only takes a few minutes.

Aug 16, 2017 6:14 AM in response to Winston Churchill

Winston Churchill wrote:


However, having done so, if you want to protect against the unlikely scenario of someone being able to guess your password and lock your device, just ensure you've already set a lock, so the lock that gets applied to your device is one you already know. Admittedly setting a firmware lock on a Mac is a little more complicated than setting a screen-lock on a phone, but it still only takes a few minutes.


Although it's definitely a good idea from a security perspective to set a firmware password on a Mac, this does not protect it in any way against being locked remotely via iCloud or the (now inaccurately-named) Find my iPhone app on iOS. A Mac with a firmware password and Find My Mac turned on can still be remotely locked with a separate code, remotely erased, etc. The only thing that is required, in the case of the Find my iPhone app, is the account username and password.

Aug 16, 2017 6:47 AM in response to thomas_r.

I spoke with Apple About this and was told that locking my Mac through find my phone when a firmware password had been set would use the same code, I haven't tried this as yet since setting such a password involves shutting down my Mac which I don't wish to do right now (I have a strange GPU issue which means restarting the Mac is a painful experience). I assume you are saying this is incorrect.

Aug 16, 2017 7:42 AM in response to mirvine1

Even tying to turn off list mode from iCloud was unsuccessful because it stated the phone was still locked. I was atrempting to erase my phone thru iCloud but t said I must be connected to the internet which obviously I couldn't do with my phone locked and for some reason it wouldn't off cellular data but anyway long and short I had iCloud open on my pc plugged in my phone with iCloud open and the master erase began to process and I was able to restore my phone

Aug 23, 2017 12:33 PM in response to mirvine1

Hello,


just for information, when 2FA is turned on nobody can access your privat files with the username and password, but they can mark your iPhone, Mac etc as stolen and lock them, when somebody get an a login information and a 2FA code on the iPhone, Mac etc then don't allow this, and change your password, but you have to do a login at icloud.com with the new password and at the bottom of the page click on "lock all browsers out". If you doesn't do that then the hacker stays in your account.

And just to repeat this the Hacker can't access your privat files without the 2FA code when 2FA is enabled.



Thanks

Aug 31, 2017 7:27 AM in response to lilacien

Exact same thing happened to me. I had 2FA activated and received a message on my phone someone was trying to access my account from a browser from Kahluga and I immediately responded do not allow. I then started receiving emails that all my apple devices were lost and then locked. I immediately changed my password and was able to get back into my iPad, watch and phone, but my iMac is a different story. The screen is locked with a grey screen, access code boxes, and a message that gives a message to email to unlock.device@mail.com. I tried this and got an automated response telling me to pay $50 in botcoins to reactivate my device. I spent a couple of hours on the phone with apple support. I have another computer (HP) at home and logged in through it into my iCloud account, selected my devices, the iMac, and (with Apple support remotely viewing and telling me to do all of this)....the unlock and erase buttons were grayed out, so "unlock" cannot be selected. The only selection remaining for the iMac is play a sound. Needless to say, at this point technical support is turning over to their engineering department. I am waiting on a solution!!

Sep 13, 2017 12:40 PM in response to mirvine1

This exact thing has happened to me as well on my Mac at home. I also have the 2 Factor authentication. I have been on the phone with Apple technical support multiple times. They have turned it over to their engineering department as highest priority, as it does seem to be a new hack through iCloud. There is no longer a button in my iCloud to unlock or do anything to my Mac other than play a sound to locate or remove from account.

Sep 20, 2017 7:26 AM in response to Ammmpt

It's a firmware lock..Apple will not provide a solution. Due to the fact that it is suppost to work like this. They can't get to your data. The only thing is you can't either due to the firmware lock.


The only thing you can do is bring the original reciept and go to an Apple store. They will get a new firmware code and this will unlock your device.

Ransomware Kalunga Russia iCloud Hack

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.