Ransomware Arrives on iOS Devices

Owners of iPhones and other iOS devices in Australia have fallen victim to ransomware attacks from hackers gaining control of their devices remotely. As it usually goes with these types of things when they first hit the digital underground markets…it was only a matter of time.

With one caveat; it relies on password guessing instead of an actual piece of malware locking down the phone through the flash drive or processor like what we’ve seen with more popular options such as the original CryptoLocker.

First surfacing in late 2013, ransomware has quickly become the go-to option for hackers worldwide who are ready to pounce on a fresh, steady source of income that basically works like an ATM if you know how to intimidate someone just right.

If the proliferation of this style of malware has shown us anything, it’s that the majority of those who eventually pay the hefty upfront fine are essentially learning a required lesson the hardest way you can: always have a backup, because this is what can happen.

Unfortunately, sometimes it’s just a matter of demographics and tech ignorance that add up to an easy payday for these hacking circles. Seniors and the less-than computer savvy may not know that you can backup files online, and effectively strap the neon target sign on their own backs when logging into sites they may not recognize and being phished with ease.

And that’s what makes this approach exceedingly fiendish: instead of going after the content on the device, it manipulates the credentials of the user’s iCloud account and remotely locks the device, threatening to hit where it hurts (likely the only backup they have of their mobile life), until they pay the comparatively minimal fee of around $50 USD to regain access.

“The affected devices aren’t infected with malware; instead, it looks as though the attackers have somehow got hold of the victims’ iCloud login credentials and locked their devices remotely,” said veteran security researcher Paul Ducklin in a post on Sophos’s Naked Security blog.


When users keep one password across a spread of multiple accounts, all it takes is one domino and the rest of your digital life very quickly falls in line. If one company who has your information accidentally slips up and something like 38 million user accounts go missing in a single server swindle, the impact of the initial strike will eventually be far wider than the crater left by the first attack.

Shockwaves ripple out in every direction, and passwords that line up with emails are quickly paired up and tried over and over again automatically by smart programmers who told a computer how to do it for them. All they need is one password, and they can get into everything from your banking portals to your email accounts with a computer they’ve designed to just get really good at guessing.

“While it’s not clear how the attacker gained account credentials for the iOS accounts, given the localised nature of the attacks it’s likely that this is a case of password reuse as opposed to Apple servers being compromised. It is likely that a third party database was compromised and authentication credentials stolen that are the same credentials used by the owners of the affected iOS devices. Fortunately, this is a situation where Apple can intervene to reset the device and affected users should not pay the ransom being sought.”

With the CryptoLocker variants currently terrorizing Windows and OSX machines globally, users can often end up paying hundreds, sometimes even thousands in the long run to save the photos, videos, and other assorted precious memories they never thought to back up onto the ever expanding clusterfumble that is the cloud.

Photo: Sophos

Less threatening to the safety of your phone, is the threat that the hackers will delete all the data backed up on your iCloud before you get a chance to change the password back through Apple Care. Technically, all they would need to have access to is your email to know exactly when you request a reset online. As soon as they see that flag go off, they wipe the account and move on.

iPads, iPhones, and iPod Touches are all affected, if only for the fact that all three contain the vital apps necessary to connect to iCloud with content that needs saving somewhere else.

As of now the scam seems to be hitting iOS device owners in Australia and New Zealand, however there’s good enough reason to believe it should start to spread rapidly beyond island nations/continents in the very near future.

To prevent your devices from falling to the first ransomware for iOS (in what we’re sure will be a long line of precious memory murdering malware to come), be sure your iCloud password deviates from you other passwords by at least by a few letters or numbers in order to keep the bad guys off the scent.