Extortion Campaign Targeting Apple Users
Last Friday, the NJCCIC received an incident report from an Apple user whose MacBook Air laptop was locked with a screen stating "Your computer is locked. Try again in 59 minutes." along with an additional message of "write to email: unlock.device[@]gmx.com." The displayed screen appears as if it may be a legitimate Apple screen, including a light gray background with the Apple logo and the three standard buttons for the Sleep, Restart, and Shut Down functions. It is not clear if any user action or malware led to this incident; however, upon reviewing numerous forum posts from other Apple users who have experienced this same issue in recent weeks, we assess that this campaign is likely targeting Apple users who have not enabled two-factor authentication (2FA) on their iCloud accounts and also have weak or previously leaked login credentials. It appears as though hackers are gaining unauthorized access to users' accounts via iCloud.com and exploiting the 'Lost Mode' function within the 'Find My iPhone' application, which allows users to lock their device if they believe it is lost or stolen. When enabling Lost Mode, the user is prompted to enter a message that will be displayed on the screen in the event that someone finds the device. In this case, hackers are enabling 'Lost Mode' and utilizing the message to include the hacker’s email address. According to forum posts, if the victim contacts the email address, the perpetrator requests a $50 payment to unlock the computer. Once the locking function is enabled, it requires a passcode and the only way to restore the device is to take it to an Apple retail store and provide proof of purchase. The NJCCIC strongly recommends all Apple users enable 2FA on their iCloud accounts and ensure passwords are a minimum of eight characters and include a mixture of letters, numbers, and special characters. In addition to iCloud or other cloud backups, users should occasionally back up their device on an external hard drive in the event the cloud backup is compromised or held for ransom. If you are impacted by this campaign, please report the incident to the NJCCIC.