iOS 10.3, released yesterday, has thwarted a screen-locking ransomware campaign that used a bug in mobile Safari to lock users' browsers and demand a ransom paid in iTunes pre-paid gift cards.

This ransomware campaign was first spotted by mobile security firm Lookout last month after one of its clients had his Safari browser locked and unable to use it.

Crooks using old iOS exploit shared on Russian site

Lookout experts analyzed the threat and discovered that crooks behind this new campaign were using an older iOS exploit shared on a Russian website.

According to Lookout, this exploit affected all iOS versions from iOS 8 to the current iOS 10.2. The exploit leveraged a bug in how mobile Safari showed popup notifications, effectively blocking the user's access to the browser through an endless loop of popups.

Crooks discovered that if they attempted to load a non-existent local URL, mobile Safari would enter an infinite loop, showing a popup that read "Cannot open page."

Crooks tried scaring users into paying

Their campaign relied on secretly redirecting, or tricking users into accessing a malicious page where their exploit code was hosted.

This page showed alarmist messages that attempted to pass as warnings from law enforcement, accusing users of watching illegal pornography or accessing copyrighted content.

When the exploit code executed, the popup would appear and lock the user's Safari browser on their page. Clicking "OK" in the popup would show an identical popup, over and over again.

Lock screen shown in Safari browsers
Lock screen shown in Safari browsers (Source: Lookout)

The exploit tried to mimic the actions of classic ransomware strains, but in reality, it never encrypted any data, only blocking access to the iOS Safari browser.

Screen locker could be removed without paying the ransom

Lookout experts say that users with technical expertise could have removed this lock screen by cleaning the browser's cache. This operation can be done by navigating to the iOS Settings page, selecting Safari, and then the Clear History and Website Data option.

The ransomware campaign used several domains and localized pages that specifically targeted users based in Australia, New Zealand, Ireland, the UK, and the US.

To give legitimacy to their ransom demands, attackers used domains and email addresses referencing government agencies or Apple terms.

http://x-ios-validation.com
http://police-pay.com

US email: networksafetydept@usa[.]com
Ireland email: justicedept@irelandmail[.]com
UK email: cybercrimegov@europe[.]com
Australia email: federaljustice@australiamail[.]com
New Zealand email: cybercrimegov@post[.]com

The security firm says it notified Apple about this ransomware campaign and the Safari bug it exploited last month.

With the release of iOS 10.3, Apple has now fixed this issue by changing how Safari handles popups. Starting with iOS 10.3, popups will only block the current tab, not the entire browser, allowing users to close the tab and continue using the browser.

Related Articles:

iOS 12 Patches Memory Bugs, Safari 12 Fixes Data Leaks

Method to View Contact Info on a Locked iOS 12.1 Device Disclosed

Apple Fixes Creepy FaceTime Vulnerability, Crash Bug in macOS, and More

Apple Releases Security Updates for iOS and iCloud, Fixes Passcode Bypass

iSH - An iOS Linux Shell for Your iPhone or iPad