Part 3: A Security Expert’s Guide to Ransomware on Apple Devices

Last week’s Rethink: Security post on ransomware featured Android exploits and remediations. This week we’re switching gears and taking a look at iOS and Mac OS X exploits.

Recently, a sophisticated attack on Mac platforms called KeRanger was discovered by Palo Alto Networks. The ransomware attached itself to a popular BitTorrent peer-to-peer file transfer app called Transmission. KeRanger locked personal data preventing access from their owners and affected about 6500 users. Some victims paid the $400 ransom to unlock their devices.

Two Transmission app installers were infected with the malware. It is believed that since the app is Open Source, cybercriminals replaced the real DMG files with infected ones on the host website. The apps were able to bypass OS X’s Gatekeeper service because they were digitally signed by a legitimate certificate issued by Apple. The Gatekeeper service scans and detects malware in the app before it is posted onto the Mac App Store.

The infected apps were pulled from the Transmission web site, and the Apple signing certificate was revoked and replaced. Also, the built-in malware protection on Macs called XProtect has been updated with the signatures to detect KeRanger.

It is speculated that the next incarnations of KeRanger will try to encrypt the data backed up using Apple’s Time Machine, and stored within Time Capsule, or internal and external storage drives so that victims would be unable to restore from their backed up data, and recover from this malware exploit.

iCloud Exploits

In June of 2014, an iCloud ransomware attack succeeded with victims in Australia, New Zealand, and the United States.

On iOS devices and Mac OS X laptops, their lock screens were replaced with a demand for payment message to unlock them. Cybercriminals harvested user account information using complex phishing campaigns, and brute-force password cracking techniques from vulnerable iCloud accounts.

How did this exploit succeed? Cybercriminals used the Find My iPhone, Find My iPad, Find My Mac, or Find My iPod services within iCloud that allow the owner to try to locate their lost device from any web browser. If the lost device was still connected to the Internet, the owner could display a message on the screen instructing the person in possession of the device to contact them, remotely set a locking PIN, or wipe the contents of the device.

Once the cybercriminals obtained the victim’s iCloud account credentials, they remotely changed the PIN and locked the device from the rightful owner. They could then display a ransom message demanding the $100 payment to unlock the mobile device or laptop.

Other similar exploits include fake antivirus support pop-up messages that inform the user to call a telephone number in order to remove the malware. Victims would then be coerced to pay money to remove the malware from their devices or laptops. The simple solution was to restore from a Time Machine backup.

iOS and Mac OS X Remediation

iOS and Mac OS X exploits are not as widespread as Android and Windows desktop platforms - yet. This is because of the stringent process of code reviewing apps before they are added to the iOS and Mac App Stores. Although, Apple is not totally immune from malware. More reports of attacks to these platforms including XCode have been reported recently.

If the iOS devices are managed by an EMM, you can implement the following tasks to remediate attacks from ransomware.

1. Create iOS Restrictions that specifically allow the following Application Restrictions:

  • Use of Safari
  • Force fraud warning
  • Block pop-ups
  • Force limited at tracking

Optionally enable all other restrictions not explicitly mentioned below.

For company-owned and Supervised devices, disallow the following restrictions:

  • Sharing of photos
  • AirDrop
  • User to accept untrusted TLS certificates
  • Modification of enterprise app trust setting
  • Trusting new enterprise app authors
  • Open in from managed to unmanaged apps
  • Open in from unmanaged to managed apps
  • Bookstore erotica
  • Account modification
  • JavaScript
  • Use of Game Center
  • Configuring restrictions
  • Accept cookies - Never (for Safari)
  • Autofill (for Safari)

2. Enable an EMM-provisioned container solution on the device to, encrypt, and isolate the work profile data from personal data. 

3. For BYOD deployments, create a blacklist of disallowed apps on the device. For company-owned devices, create a whitelist of allowed apps that can be installed on the device. All other apps will be disallowed. Download and install apps only from the iOS App or Mac App Stores as a security best practice. 

If the EMM solution supports it, create an Enterprise App Store to push productivity and line-of-business apps to the managed devices. 

4. Create a Web Content Filter Configuration for Supervised devices. Limit access to Adult Content, specify only Permitted URLs, or blacklist URLs of known malicious websites. 

Additional tasks include ensuring the XProtect built-in anti-malware agent is update-to-date on Mac OS X laptops by making sure that it is running the latest security updates from Apple. Augment this by installing an antivirus application from reputable vendors like Symantec, Avira, Bitdefender, and others. 

5. For company-owned devices, disable Siri because of reported privacy issues and security vulnerabilities.

James Saturnio

Senior Solutions Architect at MobileIron

About the author

James Saturnio is a Senior Solutions Architect for the Technical Marketing Engineering team at MobileIron. He immerses himself in all things cybersecurity with equal parts mobility and IoT technologies. He has been with MobileIron for 5 years. Previously, he worked at Cisco Systems for 19 years where he started out as a Technical Assistance Center (TAC) engineer, then a software engineer, and as a Technical Leader in the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.