A New Approach to Cyber Ransoms
Ransomware has been a large topic in information security for the past 5 years. In traditional ransomware attacks, critical data is encrypted and then used to extort payment from the owners of said data. If no payment is made (and oftentimes even if payment is made) the data is lost forever unless researches discover a weakness in the encryption or law enforcement agencies manage to acquire the master keys used by the criminals.
A new approach to holding user data ransom has emerged during the past two weeks:
A hacking collective calling itself the “Turkish Crime Family” has acquired a large set of account credentials and is using it in an attempt to extort money from Apple.
Where does the data come from?
The credentials were most likely gathered from a variety of sources including public leaks after breaches and credential sets for sale on the Darknet. The attackers claim that their database contains 750 million credential sets.
Most users re-use their credentials across different services. If one of the services should become compromised, the stolen usernames and passwords can thus be used to log into the remaining services as well.
Since Apple products are popular and by default associated with an iCloud account, any database of user credentials is thus bound to contain a significant number of entries that will work on iCloud as well.
What is the impact?
Attackers with access to an iCloud account gain access to the files stored in iCloud and messages that will be sent by iMessage. (Old iMessages can not be retrieved.) In addition, Apple has developed sophisticated remote management features for its devices over the years to counter theft and loss. Using these features, all Apple devices associated with an iCloud account can be tracked, locked and wiped remotely. This allows victims of theft to make sure their phones aren’t abused but also allows an attacker with access to the account to wipe a victim’s phone.
This is exactly what the “Turkish Crime Family” is threatening to do. They have informed Apple and several major news outlets that unless Apple pays a ransom by April 7th, they will wipe all the devices that they have access to.
How can I protect myself?
Apple has shown no intention to pay the attackers. It makes no sense for them to do so as this kind of attack could be replicated by almost anyone. Paying would thus open them up to greater and greater extortion. A loss of several hundred million devices would non the less be a PR nightmare for the company.
It is unclear if the dataset controlled by the attackers really contains 750 million records. Even if it does, a large quantity of the records will be duplicates, expired, not associated with iCloud or have had their passwords changed. Non the less, it makes sense to assume that the attackers have the capability to remotely wipe hundreds of thousands of even millions of phones.
Accessing the accounts will prove a challenge as Apple can easily trace a single IP address accessing a large number of iCloud accounts and even botnets may not provide enough IPs to access a million or more accounts separately.
Wether or not you use iCloud, the best defense against any such attacks remains the same: Chose strong passwords, avoid password re-use between accounts and update your passwords regularly. As remembering a large number of strong passwords is difficult, a password manager may help with these tasks. Furthermore using 2-Factor Authorization when possible ads an additional layer of security if your credentials should be stolen.