Originally, this was considered to be one attacker using the moniker of '‘Oleg Pliss’ performing what I considered to be merely a proof-of-concept attack. The kidnapped Apple devices had messages pop up telling victims to send money to a Paypal account that never existed.
Then this happened:
Hackers suspected of holding Apple devices to ransom detained in Russia
Russian authorities say they have detained two young hackers who are alleged to have hijacked Apple devices and digitally held them ransom.
The hackers - aged 17 and 23 - were detained in the course of "operational activities" by the Russian Interior Ministry, Russia's Ministry of Internal Affairs said. They are both residents of the southern administrative district of Moscow and one has been tried before, it said.
According to Russian media outlet MKRU, the hackers were caught by CCTV when they withdrew victims' ransom money from an ATM.
. . .
It appears that just over a week before Australian users began reporting similar hijacking attacks, a Russian publication reported Russian citizens were being targeted. The same hackers then may have used their techniques to hijack Australian devices although it it may have been copycats.The first impression was that these were the hackers passing as "Oleg Pliss". But there are strong indications that they are not. Their scheme turns out to be significantly different from and more elaborate than the "Oleg Pliss" attack. As The Sydney Morning Herald article above indicates, their attack to predates the "Oleg Pliss" attack. Details are still being collected regarding exactly what they were doing. But here are a few details:
…The hackers used two "well-established" schemes to conduct their activities.
"The first was to gain access to the Apple ID of a victim's account by creating phishing pages, [gaining] unauthorised access to email, or using social engineering techniques," the Ministry of Internal Affairs said. "The second scheme was aimed at binding ... devices to a pre-arranged account."
The pre-arranged account was one that hackers owned then "leased", or sold, to users by offering movies and music. But in order to access the content, users needed to link their devices to the account, which left the devices vulnerable to being hijacked by hackers who knew the log-in details.This wasn't any proof-of-concept attack. It was serious and working, until the Russian police caught the two red-handed.
Until such time as Apple makes changes to its 'Find My Mac' system, this ransom scheme is likely to happen again. Note that the 'locked' devices are entirely recoverable as long as the users have followed The #1 Rule of Computing and have made a backup. Sadly, as usual, there will be the newbie, granny and LUSER factors that will mean trouble for those users. That's going to potentially be a big problem. We'll see how it goes. I don't want to FUD the situation, but the ransom problem is now very real for Apple users. So keep your eyes open and keep your Apple ID information safe from hackers while we wait for further revelations.
Current details are available in articles by my colleagues Thomas Reed and Topher Kessler:
Russian iCloud hackers arrested
Russian hackers arrested in possible ‘Oleg Pliss’ iOS ransom attack