A1311 Ransomware

[wirelessplanet]

got a customer who came in with an imac that got ransomware. boots up to unknown password and when i try to boot into startup manager it asks for passlock. do you think i can solve this by reprogramin efi or will it get locked back up after wifi connection?

 

[dukefawks]

Haha ransomeware sure.....You mean stolen iMac that got remotely locked. Remove $SVS tag from BIOS and change serial number. After that you can look up how Apple's DEP works, cause that is how this happens.
Do not just flash a dump from another machine, it will fuck up the ME region!

 

[Gurmon]

I see a lot of this. Apple IDs get hacked and then your machines locked. The procedure to unlock through Apple is a nightmare. They want Photo ID + receipt with serial number. Suffice to say i just reprogram BIOS.

 

[wirelessplanet]

duke this is customers imac....look at the apple id(that's why i posted it): [email protected]

but anyway removed the text after $SVS and cleared the pram. it didn't get locked back up. How would they change the appleid on the computer and lock it to a new one though?

 

[dukefawks]

Then their Apple ID got hacked and someone locked it. Have them secure their apple ID and check all their devices for key loggers/virus. Also all their email accounts, heck they should change all their passwords everywhere and credit cards EVERYTHING is compromised probably.

 

[wirelessplanet]

i've been using malwarebytes for mac. anything else you can suggest for keyloggers?

 

[smiba]

A brain and two-factor authentication on their apple account

 

[dukefawks]

I dunno, they probably clicked on one of those emails to "verify" your Apple account. Nothing you can do about that but 2 factor auth. and use common sense.