Apple users have flocked to social media within the past week to report issues relating to their Macs and iOS-based devices seemingly locking out their owners from using them. In most cases, the devices are requesting a 6-digit code, or that the user call a number in order to pay to have their access restored. The fact that the lockout method comes right from the user's iCloud account is troubling.
Before the mass hysteria begins over Apple being hacked, let's nip this in the bud. There are no indications that Apple or the iCloud service has been hacked, per se; rather, the attack is being carried out by threat actors that have obtained user credentials from a third party, likely those recent data breaches that have made headlines and have successfully managed to log on to iCloud using the compromised credentials.
In most, if not all, of these cases, end users are having their iCloud accounts logged into by unknown parties, and these actors have used Apple's Find My iPhone technology to remotely place a device in Lock Mode. By enabling the lock, iCloud locks the device in question until the user manually stops Lock Mode to restore system access.
SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)
Threat actors are using this helpful tool to assail the owners of these compromised accounts, relaying messages that the lock will be lifted, or the 6-digit code will be sent to them, after successful payment of a ransom via Bitcoin.
Since Find My iPhone is intended to help users find their devices and lock them to prevent unauthorized access, the service will continue to function, even if the device is formatted and the operating system is reinstalled.
While this may sound bleak, there are steps you can take to minimize the possibility of having your iCloud account compromised and protect your data.
SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF) (TechRepublic)
1: Change your iCloud account password immediately
The sooner you change your iCloud password, the sooner your account will be protected. Then, if attackers try to compromise your account with the credentials they previously obtained, the password will be obsolete, and they will not gain access to your iCloud account.
2: Use a unique password for each of your accounts
This is more of a general security best practice and is not specific to iCloud. It's a smart move to stop using the same passwords for each of your accounts, especially iCloud. By following this practice, in the event that one of your accounts gets compromised it will be less likely that all of your accounts are compromised.
3: Enable two-factor authentication
While two-factor authentication does not protect iCloud users against this type of ransom attack given the way Find My iPhone is currently implemented when logging on to the iCloud.com website, it can, does, and will protect all data stored within iCloud, such as pictures, contacts, and email from prying eyes and unauthorized leaks.
This is due to the two-factor authentication requiring a special code that Apple's servers will send only to your trusted devices, ensuring that you requested these services in the first place and not someone else.
Even if someone gets ahold of one of your trusted computers or mobile devices, if a passcode is enabled, the device will require that the attacker unlock the device before they can view the Apple-provided code, thus keeping your data protected.
4: Protect your Apple computer or mobile device with a password or passcode
This best practices makes it harder for attackers to get to your data and/or cause additional damage in the event of an account compromise. A protected device will require entering the passcode or password to access certain parts of the system; without the passcode or password, certain functions will be limited or inaccessible, such as Apple Pay remaining disabled until a passcode is entered.
5: Turn off Find My iPhone service on devices
Note: This recommendation is not considered a best practice, though it has made the rounds on the web as a good thing to do.
The logic behind this recommendation is sound. If the locking mechanism (Find My iPhone) is disabled, then a device cannot be locked and therefore ransomed. It makes sense, right?
While this may side-step this particular attack when the service is turned off, if/when it gets turned back on, the same problem will persist and will not just go away on its own.
Furthermore, by turning off the service, lost or stolen devices cannot be tracked by Find My iPhone, so your device could be gone for good. Additionally, if a device is lost or stolen, Find My iPhone provides a few options for wiping the private data from the device; with the service turned off, those protections are unavailable, which means that unauthorized users could gain access to your personal data.
If you've been locked out of your device, your best bet is to power the device off immediately and seek support help at an Apple store in getting the lock removed from your account. To expedite the process, make sure you have proof of purchase (i.e., an invoice, receipt, or email with the serial number displayed) for your compromised device(s).
- New to iOS 11? Change these privacy and security settings right now (ZDNet)
- 7 ways to protect your Apple computers against ransomware (TechRepublic)
- Report: 22% of SMBs hit by ransomware cease operation (TechRepublic)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- iCloud security overview (Apple)
Have you been a victim of an iCloud ransom attack? If so, what steps did you take to regain access to your device? Do you have suggestions on how to further protect your data and your devices? Please sound off in the comments section.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.