2016: The year of Apple ransom scams

19 March 2016, 05:24

2016 may be a breakthrough year for ransom scams on Apple devices if a handful of recent examples are anything to go by.

In such scenarios an attacker takes control of an iPhone, iPad or Mac, and attempts to sell control back to the user for a fee typically in the hundreds of US dollars range. They might also threaten to wipe the device and, as an added inventive, the attacker might threaten to make public all the data they’ve locked away.

There are currently two methods being attempted to hold users to ransom.

The Transmission/KeRanger ransomware attack a few weeks ago (first reported here on Mac Kung Fu) might’ve been thwarted by the quick actions of Apple but it was a working proof-of-concept for Mac ransomware. It was the first such attack and, if past experience of the malware scene is anything to go by, others are certain to follow.

Had it worked, KeRanger would’ve encrypted all the user’s files and also their Time Machine backup. A message would’ve popped-up asking for one BitCoin (circa $400) in payment for unlocking the files.

The fact Apple caught KeRanger was only down to the chance actions of Palo Alto Research, and there’s no systems in place that mean Apple will definitely spot the next instance before it breaks out. Apple would like developers to use their Mac App Store, by which software is vetted and approved by Apple, but the App Store’s been hideously neglected over recent years – and Apple bans apps like Transmission anyway, so that wasn’t even an option here.

The ransomware used was modified code based on a similar Linux-based malware, and there are reports that the bad guys are offering “ransomware as a service“ on the darknet. In other words, anybody can hire the necessary code and there’s little if any technical knowledge required.

Part of the proof of concept KeRanger demonstrated was showing how some of Apple’s existing defences failed. The Gatekeeper system is supposed to stop software being installed unless it’s from a verified developer but was overcome simply by use of a stolen certificate file. The malware attempted to encrypt a user’s Time Machine drive in order to stop the individual simply restoring from a backup. An attack on Time Machine like this should be impossible – but apparently it isn’t.

iCloud locking
Apple might be partially remiss in OS X’s defences against KeRanger but that’s nothing compared to their potential culpability in the upcoming tsunami of iCloud ransom lockouts which affect all Apple hardware – including iPhones and iPads.

Here’s an example from a recent Reddit thread:

My friends only apple product is a mobile phone which he uses with an Apple ID which is not an @icloud account, but an @sohu account.

Apparently his account was hijacked (insecure password?) and the hijacker quickly turned on two step or two factor authentication. (Language issue, I can’t figure out which, but they are apparently two different things) and has likely changed the email address associated with the account and/or the security challenge questions.

Any tips on getting account back?

Thomas Reed at the Malwarebytes Lab blog describes something similar:

[The victim] also received an e-mail message, in similarly broken English, from her own iCloud address. The message said he had access to all her bank accounts, personal information, etc, and would publish it if she didn’t respond within 24 hours.

[ … ] the iMac is 6 years old, and she no longer has a receipt. Without proof of ownership, Apple won’t help her unlock it.

[ … ] with a ransom message displaying on the locked iMac, one would think that an Apple tech should have escalated this case to someone who could make a more informed decision.

The process used by the attacker is blissfully simple:

1. Obtain the user’s password using a phishing scam. Perhaps send an email asking them to reset their password and direct them to an official-looking page, for example. Most people won’t fall for it, of course, but it only takes one in a million to make it worthwhile.

2. Use the password to implement two-step security, then change the password and change the account’s email address too.

3. Activate iCloud’s Find iPhone’s Lost Mode to cause a message to pop-up on the user’s device showing the ransom message.

OS X on the Mac can be locked such that a numeric passcode needs to be entered – one that’s set by the hacker at iCloud.com once the account is compromised. In other words, the user is locked out of their own computer.

An iPad or iPhone can be registered as lost via the iCloud website, and a message shown, but can still be unlocked by entering the usual passcode for the device. However, as shown above with the example quoted on Reddit, the attacker enabling two-factor security can somehow bypass this and lock the user out of their device. (To be honest I haven’t experimented to discover precisely how this works for fear or locking myself out of my own devices.)

Notably, once the user has access to the iCloud password they can control every and all devices or Macs owned by that user – and that undoubtedly is the huge Achilles’ Heel here.

What can be done?
Before you read another word, and if you haven’t already, head over to the AppleID site and enable two-step security. Do this now.

This will mean that nobody can log into the iCloud website, or do much of anything devastating, without a code that’s sent to one of your iOS devices or sent as an SMS to any cellphone.

Secondly, remember that Apple will never contact you asking you to change your password, or to tell you that you have a new email message. Always check the URL of any link sent to you in an email. Apple’s pages will always be signed, so that a padlock appears in the URL field. Click on this and ensure it’s actually an Apple certificate. If it’s anything else then walk away.

I outlined some basic defences against a future KeRanger wannabe a week ago.

Other than that, however, all you can really do is cross your fingers and hope that Apple implements thorough systems to protect us from this kind of thing – and also tweaks the otherwise useful Find iPhone service to make it less handy for malicious interests.

To be fair, Apple has an excellent track record. For many years they’ve been way ahead of the crowd when it comes to security – the new System Integrity Protection in OS X El Capitan defines a new standard of file protection, for example, and in many key ways iOS devices were designed from the ground-up with security in mind.

Leave a comment...