Some users of Apple iPhones, iPads and Macs have been getting strange wake up calls and unsettling messages demanding a ransom for access to their devices. (Here's CNET's reporting of the earliest incidents.) As of now, these "attacks" seem to be confined to people in Australia and New Zealand. That might sound like good news if you don't live in Australia or New Zealand, but it's possible that other parts of the world will be hit with copycat attacks if criminals figure out how this one was executed.
You have been targeted if any of your Apple devices display this message: "Hacked by Oleg Pliss. For unlock device YOU NEED send voucher code by 100 $/eur one of this (Moneypack/Ukash/PaySafeCard) to [email address]"
Do not panic and do not pay. Recovery may well be possible (see notes below). These attacks appear to exploit Apple's "Lost iDevice" feature, possibly through stolen usernames and passwords (and the confinement of the incidents to one region suggests a compromised regional database is being leveraged for this scam). There is no evidence that malware is involved and these attacks are not related to the cryptolocker-style ransomware that encrypts data and demands you pay a ransom to get the decryption keys.
Regardless of where you live, this incident should serve as a wake-up call to Apple users who have not yet done the following:
- Turn on Apple’s 2-factor authentication for Apple ID credentials
- Establish a backup regime, using one or more of iCloud, iTunes, Time Machine
- Create a strong and unique password for your AppleID
While Apple's "walled garden" approach to protecting your devices from bad stuff and bad people is an excellent model, it is we, the Apple users who can sometimes be the weak link. Please take the time to do all three of the above.
ESET Senior Research Fellow, David Harley, has this to say about the value of Apple's 2-factor authentication for Apple ID credentials: "As far as I can ascertain, no-one in Australia or New Zealand who was using 2FA has had the problem." He points to Apple’s knowledgebase article for details of how to put this in place. I strongly second Mr. Harley's advice. As he notes:
"Essentially, this allows you to authenticate using a password, a 4-digit PIN (verification code) texted to a trusted device at each login, and also generates a 14-digit recovery for emergency. This might also be a good time to change your AppleID password and ensure that you’re not re-using a password that might have been compromised from another service."
Apple Australia has also suggested contacting AppleCare or visiting an Apple Store if necessary. The company has apparently stated that an iCloud breach is not responsible for this rash of incidents. Regardless of which hemisphere you are in, if you get a ransom message on any Apple device I suggest you head straight to the nearest Apple store. Apart from anything, this will help Apple learn more about the problem.
For people who have been affected and cannot get into their devices, you can try to erase and reset the device and its passcode using recovery mode. Note that this may involve loss of data so proceed with caution. Here is how Apple describes the procedure for people who haven’t synched with iTunes, don’t have Find My iPhone set up, or can’t restore from iTunes or iCloud backup via their own computer:
- Disconnect all cables and turn off the device
- Press and hold down the Home button while connecting to iTunes
- When you do, iTunes should offer to restore the device.
As Harley has noted, there have not been any reports yet of an instance where someone has actually paid the ransom demand, but there’s no reason to assume that the criminal would actually restore your access to the affected device(s) if you did. You may well find that even if you pay, you still have to do what amounts to a factory reset.