When ransomware strikes, it's hard not to panic. A ransomware attack may cause your Mac to shut down and then restart into a lock screen. A message appears, demanding ransom to provide a six-digit unlock code, which can’t be bypassed. This can occur even with two-factor authentication enabled.
Crackers appear to be making use of passwords from other sites that have had password breaches in the past—and iCloud accountholders re-use those passwords with their iCloud account. With Find My Mac enabled and your password, a criminal can log into iCloud.com and use Find My Mac (even without confirming with a second factor) to put your Mac into Lock mode with a six-digit code they create. Lock mode restarts a Mac into Recovery and locks out a normal boot.
Paying the ransom is inadvisable, because not all extortionists honor the terms, and there’s a workaround. I recommend the following:
Bring your Mac to any Apple authorized service center—Apple Stores and third parties—as they can unlock it from Lost mode if you provide proof of purchase.
Even before you take your Mac in, change your password for iCloud.
Enable two-factor authentication if you haven’t already. It doesn’t help with this crack, but will prevent any further access to your account if someone obtained the password.
iOS isn’t susceptible to this with its Lost Mode in Find My iPhone/iPad, unless you have no passcode set. In that case, a criminal can set a four-digit code and lock you out of your phone or tablet.
If this attack seems familiar, it’s because it was previously used in 2014.
Ask Mac 911
We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to email@example.com including screen captures as appropriate. Mac 911 can’t reply to—nor publish an answer to—every question, and we don’t provide direct troubleshooting advice.