MacOS Ransomware with EFI Lock

Explanation

It seems that it is not a virus or a hack on your computer. The message that is shown can be set when you lock your device from iCloud (Find My Phone).

So it seems that Apple has an iCloud backdoor or something like that. Only with the password it would not be possible to login to iCloud, because of the activated two-factor authentication. So the attackers really have access to your iCloud, but not directly to your local computer.

The iCloud account of my mum is from April 2017, so it is not just an old iCloud hack.

Most likely it is because of the following iCloud hack:

Hackers: We Will Remotely Wipe iPhones Unless Apple Pays Ransom (Vice, Mar 21 2017)

Solution

If the same happened to you, you have to take your Apple device to the next Apple Store together with your receipt. The receipt proofs that you are the owner the device, so the Apple Store is able to unlock it.

For security reasons I recommend to reset your password and activate two-factor authentication.

If you have the a 2011 Macbook, the PRAM / NVRAM wipe could work for you too, but you have to do it on your own risk.


As you mentioned, this does not seem like a real ransomware attack. Most ransomware out there, including the latest WannaCry and NotPetya, have atleast good file encryption mechanisms. But you mentioned that the files were not really encrypted so I would not classify it as ransomware.

Since a ransomware's prime objective is to make money (it is debated that some of the recent variants exist more as DoS attack tools than for ransom collection -- but I won't get into that) they will usually leave a bitcoin address where you could make a payment to them to get a unique decryption key.

The modus operandi of this infection does not really coincide with that of a ransomware. This seems more like a hoax to annoy users by locking them out of their machines.

Aside

Perhaps, I will try writing an email to the address you mentioned and see if they ask for a ransom amount to "fix" my computer. Since they are pretending to be "Apple" (they are doing a bad job at it too since the domain is gmx.com, a German service offering free email accounts), they more likely looking to cheat unsuspecting users out of some money. For e.g. think of the fake "Microsoft Service Support" calls that (usually elderly) people receive that ask for remote connection to their machine, show fake "infections" by color coding some DOS commands and ask for ~$300 to fix it. It's an unsophisticated social engineering attempt but it works on people not very familiar with their computers.