Public Service Announcement

Prepared by the Internet Crime Complaint Center (IC3)

July 18, 2013
FBI Logo

RANSOMWARE PURPORTING TO BE FROM THE FBI IS TARGETING OS X MAC USERS

In May 2012, the Internet Crime Complaint Center posted an alert about the Citadel malware platform used to deliver ransomware known as Reveton. The ransomware directs victims to a drive-by download website, at which time it is installed on their computers. Ransomware is used to intimidate victims into paying a fine to “unlock” their computers. Paying the fine does nothing to solve the problem with the computer; do not follow the ransomware instructions. The ransomware has been called “FBI Ransomware” because it uses the FBI’s name.

The newest version of ransomware targets OS X Mac users. This new version is not a malware; it appears as a webpage that uses JavaScript to load numerous iframes (browser windows) and requires victims to close each iframe. The cyber criminals anticipate victims will pay the requested ransom before realizing all iframes need to be closed.

The ransomware is pushed to victims’ computers when they browse common websites, specifically when they query popular search terms. Once the web browser is exploited, the victims’ computer displays a pop-up warning that appears to be from the FBI. Cyber criminals use “FBI.gov” within the URL to make the warning appear more legitimate.

Ransomware Screen Image
Malwarebytes Unpacked – Jerome Segura

As the FBI saw in 2012, the warning accuses victims of violating various U.S. laws and locks their computer. To unlock the computer and avoid legal issues, victims are told they must pay a $300 fine via a prepaid money card. Attempts to close the warning page results in additional messages that reappear each time victims try to close their web browser.

The simplest way to remove the ransomware’s iframes is by clicking on the Safari menu and choosing “reset Safari,” make sure all check boxes are selected, or hold down the Shift key while relaunching Safari. This will prevent Safari from reopening windows and tabs from the previous session. Victims can also disable the reopening feature across OS X from the General pane of System Preferences.


Ransomware messages are an attempt to extort money. If you have received a ransomware message do not follow payment instructions and file a complaint at http://www.ic3.gov/