Posted: March 16, 2016 by

Last updated:

We've encountered a ransomware on the Mac that's far worse than anything seen for Windows. This hack seems to have turned an iMac into an expensive paperweight.

Ransomware – malicious software that encrypts your files and then demands payment to unlock them – has become a major scourge of the Windows world.

Mac users just had their first brush with such threats last week, with the appearance of the KeRanger ransomware. However, shortly before KeRanger, I encountered a ransomware event in the Mac world far worse than anything seen for Windows.

This hack seems to have turned an iMac into an expensive paperweight.

A woman named Ericka contacted me, telling me that her Mac was locked by ransomware. At first, I thought this might be one of countless web-based scams out there, pretending to be ransomware, but easy to get rid of.

However, there was an added wrinkle: Ericka said her computer was asking for a six-digit code, and that a Russian hacker was asking for payment in exchange for the code. This sounded like more than a simple scam pop-up.

From the screenshots she sent me, it soon became clear what had happened. The hacker had somehow gotten access to Ericka’s iCloud account.

Using this, he was able to remotely lock her computer using iCloud’s Find My Mac feature, with a ransom message displayed on the screen. (For some reason, the iPhone did not actually end up locked, but displayed the same message.)

The message read: “Contact me: hblackhat(at)mail.ru All your conversation sms+mail, bank, computer files, contacts, photos. I will public + send to your contacts.”

She also received an e-mail message, in similarly broken English, from her own iCloud address. The message said he had access to all her bank accounts, personal information, etc, and would publish it if she didn’t respond within 24 hours.

This is a pretty serious threat, and quite different from the typical Windows malware. Unfortunately, the story doesn’t end there. Apple designed Find My Mac/iPhone as an anti-theft feature. It is intended to allow you to take a number of actions on a lost or stolen device, including displaying a message, locking it, locating it physically and even remotely erasing it.

Apple is focused on trying to ensure the security of your devices, and that’s a good thing. You don’t want a thief to be able to bypass this security and gain access to your data.

In this case, however, that security has backfired. Nothing that Ericka has tried has been successful in giving her back access to her Mac. Worse, the iMac is 6 years old, and she no longer has a receipt. Without proof of ownership, Apple won’t help her unlock it.

Although I certainly sympathize with Ericka, this reluctance to unlock a device is generally a good thing for those whose devices have been stolen.

However, in this case, with a ransom message displaying on the locked iMac, one would think that an Apple tech should have escalated this case to someone who could make a more informed decision.

A similar event happened back in 2014, where people’s iPhones were locked by “Oleg Pliss,” mostly in Australia. Back then, perhaps thanks to the more widespread nature of the event, Apple helped affected users unlock their phones.

It’s also important to realize that an attacker with this kind of access could remotely erase all devices connected to that iCloud account. Worse, if you have Back to My Mac turned on, the attacker could gain access to all the data on your Mac.

There are some lessons to be learned from these events, so that you don’t end up experiencing something similar yourself.

First and foremost, make sure that your iCloud account has a very secure password. Longer is better. As long as your password is long, and is not a quote from a book, movie, song or other media, and it’s not a common expression, and it’s not something that could be guessed with a little cyberstalking, it does not need to be horribly complex.

A password like “horse airplane rutabaga flashlight” is far more secure than a complex but shorter password like “h@c|<me.”

Second, DO NOT use the same password on any other site!

Ideally, every online account should have a different password, and you should be using a password manager (like 1Password or LastPass) to keep track of all of them. This prevents situations where a server gets compromised and leaks your password, and then the hacker is able to use that password to access all your other accounts.

Finally, be sure to turn on two-factor authentication on your iCloud account. This ensures that access to your iCloud account is restricted only to someone in possession of one of your designated “trusted” devices. That makes it significantly harder for a Russian hacker to remotely access your account!

Of course, beyond that, it would also be wise to ensure your computer is thoroughly backed up. This will ensure that any disaster – whether ransomware, iCloud hack or just plain bad luck – doesn’t also claim the life of your valuable data.