Ransomware Locked MacBook Pro

14/7/2017 – Ransomware Locked MacBook Pro

A user of an Apple MacBook Pro (2013) had suffered either a malware attack or breach of his iCloud account. The result of which is that his MacBook Pro had been locked, with a message on screen requesting that the owner of the laptop should pay a ransom. If the ransomware was not paid then the data would be destroyed.

Ransomware has become a common reason for data loss on Windows computers. There have been various high profile ransomware cases in 2017, resulting in data loss for large organisations, including the NHS.

Instances of data being held for ransom on Apple Mac computers are far rarer. This is the first instance in which CDR has seen. We expect that rather than software being run on the Apple Mac itself to invoke the security lock, that the customer’s iCloud account was hacked, and that the lock was enabled via the iCloud website

Solid State Disk (SSD) details:

BIOS Locked MacBook ProManufacturer: Apple / SanDisk

Model: 128GB SDNEP 655-1837C

Part Number: SD6PQ4M-128G-1021

Result:

The customer’s SSD was removed from the MacBook. It used the PCI-Express (PCI-E) interface. The SSD was fully cloned to a disk image. From the disk image, it was possible to determine that an attempt to ‘security erase’ the SSD had taken place already. However, this function only appeared to have altered the first few sectors of the HFS+ partition. Nevertheless, would prevent access to the data if the SSD was directly mounted in another computer.

It was possible to identify the start of the ‘catalog’ file which creates the folder and the file name structure. Analysis of the partition allowed for a rebuild of the folder and file name structure.

A small number of operating system files were missing or corrupt, however, it was possible to make a full recovery of the ‘User’ profile folder and all of the customer’s critical data.