Posted by: David Harley | June 12, 2014

The Increasingly Strange Case of the Antipodean iOS Ransomware

[A shorter version of this article originally appeared on the ITsecurity web site.]

It’s not clear exactly what happened in the mysterious case of the Antipodean iOS ‘ransomware’ attack – in particular, why the only people affected initially seemed to be in Australia and New Zealand, though there have been subsequent reports of victims in the UK.

There’s a good blog/FAQ by Graham Cluley (who has done his usual excellent job of following the story) for Intego here, offering several possible thoughts as to what might have gone wrong, but most of them don’t really address the localization issue. The later arrests of two people in Moscow alleged to have carried out a similar attack against Russian iGadget users may shed more light on these events, but at the time of writing, as Thomas Reed has pointed out, there is at present no proven link between the two attacks on very different localities, offering no further answer to the question ‘why the Antipodes?’.

The Australian attacks seem to use the “Lost iDevice” feature, and affected Apple devices displayed this message: “Hacked by Oleg Pliss. For unlock device YOU NEED send voucher code by 100 $/eur one of this (Moneypack/Ukash/PaySafeCard) to [email address]”

The Russian attacks seem to have been effected by setting up a phishing site in order to capture iCloud credentials, then using the access thus obtained to lock the devices. However, according to Reed, the message in this case translates to “Your device is locked in relation to the complaint. And can help you unlock it. Check your email!”

My colleague at IT Security, Kevin Townsend, wrote in a recent blog:

The problem with this scam is that there is no malware that Apple can block in the future: it is the business process rather than the device software that is hacked. That means that other hackers can use the same methods again and again in the future – and it is quite likely that there will be other copycat attempts in the future.

It’s not impossible that the same parties carried out both attacks using a similar modus operandi based on phishing and social engineering, of course, but I think it’s too early to assume that the case is all but closed. It could even turn out that there is in fact some issue that can be addressed by patching or some form of re-engineering, though I’ve no grounds for suspecting the existence of the kind of vulnerability that Apple has already dismissed as a possibility. Frankly, there just isn’t enough information at present. Either way, Kevin is certainly right to stress the importance of taking advantage of the precautionary measures that are currently available.

Irrespective of what part of the world you live in, the most important (hopefully) preventative measure is to enable Apple’s 2-factor authentication for Apple ID credentials – as far as I can ascertain, no-one in Australia or New Zealand who’d done this had the Oleg Pliss problem. See Apple’s knowledgebase article for details of how to implement it. Essentially, this allows you to authenticate using a password and a 4-digit PIN (verification code) texted to a trusted device at each login, and also generates a 14-digit recovery in case of emergency.  This might also be a good time and reminder to change your AppleID password and ensure that you’re not re-using a password that might have been exposed by the compromise of another service.

Apple Australia has also suggested contacting AppleCare or visiting an Apple Store if necessary, and insists that an iCloud breach is not responsible.

Another colleague, Stephen Cobb, observed for WeLiveSecurity:

Regardless of where you live, this incident should serve as a wake-up call to Apple users who have not yet done the following:

  • Turn on Apple’s 2-factor authentication for Apple ID credentials
  • Establish a backup regime, using one or more of iCloud, iTunes, Time Machine
  • Create a strong and unique password for your AppleID

While Apple’s “walled garden” approach to protecting your devices from bad stuff and bad people is an excellent model, it is we, the Apple users who can sometimes be the weak link. Please take the time to do all three of the above.

For people who have been affected, you can try to erase and the device and its passcode using recovery mode. This is how describes the procedure for people who haven’t synched with iTunes, don’t have Find My iPhone set up, or can’t restore from iTunes or iCloud backup via their own computer:

  • Disconnect all cables and turn off the device
  • Press and hold down the Home button while connecting to iTunes
  • When you do, iTunes should offer to restore the device.

Stephen noted:

Apple Australia has also suggested contacting AppleCare or visiting an Apple Store if necessary. The company has apparently stated that an iCloud breach is not responsible for this rash if incidents. Regardless of which hemisphere you are in, if you get a ransom message on any Apple device I suggest you head straight to the nearest Apple store. Apart from anything, this will help Apple learn more about the problem.

He also noted that there is no evidence that malware is involved and that the attacks are not related to more common types of ransomware that encrypt data and demand that the victims pay a ransom to get the decryption keys.

I don’t know of an instance where an Australian victim actually paid the ransom demand, but there’s no reason to assume that if they had the criminal would actually have restored the victim’s access to the affected device(s). It’s likely that victims might have paid and yet still had to do what amounts to a factory reset in order to get back the use of their iGadgets. Clearly, some Russian victims did pay up, since the alleged criminals were caught on CCTV withdrawing payments from those victims from an ATM.

Other links:

David Harley
Small Blue-Green World


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: