HomeMac Ransomware
Marta Turnbull

Marta Turnbull

Head of Community at MacUpdate

Marta Turnbull is a MacUpdate OG and has written about technology, marketing and brand creativity for over 10 years. She splits her time between Michigan and Ukraine.

You Can't Ignore Mac Ransomware!

17 January 2020

You Can't Ignore Mac Ransomware!

Ransomware is one of the most significant threats facing individuals and businesses today!

Just look at some of the stats:

Ransomware Growth Statistics

With ransomware rapidly growing and becoming increasingly sophisticated, Mac ransomware is also on the increase.

While the majority of ransomware attacks in 2019 were focused on high-value business targets - you could still become a victim.

That's why you need the best ransomware protection for your Mac, along with this two-pronged approach to ensuring the best security:

  • Proactively protect your Mac
  • Make sure you can quickly recover if you are a victim.

To begin with, what is ransomware, and how does it infect Mac computers?

What is Ransomware and How Does It Work?

Simply put, ransomware on Mac extorts individuals or businesses for financial gain.

How Ransomware Attack Works

Ransomware is a malware attack where perpetrators threaten to expose your online activity, publish personal data online, or encrypt files and deny access unless you pay a ransom.

Your files - or entire device - is held hostage until you pay the ransom and receive a decryption key.

Like other forms of malware, extortionists push ransomware to individual computers through:

  • Compromised vendors
  • Malicious online advertising
  • Phishing emails
  • Free software downloads
  • Social media attachments
  • Unpatched programs

Ransomware can quickly spread across a network, encrypting mapped and unmapped network drives. The result is one infected user bringing an entire organization to a halt, with massive implications depending on the type of organization attacked.

How Much Do They Want?

Ransoms start around $300-$500 for individuals, but amounts of $50,000-$400,000 - or more - are typical for businesses who have more to lose. Because of the impact on their services and clients, healthcare institutions are often targeted by ransomware.

What Should You Do?

Designed to prey on your fears, ransomware perpetrators want you to panic and pay the ransom before you've stopped and thought things through. That's why it's essential to follow these steps carefully:

  1. Stop
  2. Breathe
  3. Stay calm
  4. Don't panic
  5. Think

Can Macs be Infected with Ransomware?

Yes.

While it's true that Mac computers are less likely to be attacked than Windows PCs, they are not any more resistant to malware attacks. In fact, the threat of Mac malware increased by 60% in just the last quarter of 2018.

While adware is the most popular form of malware, ransomware is the most stressful and frustrating once it's infected your Mac. That's why you need an excellent anti-ransomware for Mac strategy.

What are the Most Common Mac Ransomware?

Although relatively few compared to Windows, there have been several examples of ransomware affecting Macs, along with their derivatives which continue to appear in various forms. These include:

  • FBI/MoneyPak scam (2013): Targeting Mac's Safari browser, a fake FBI web page appeared, locking the user out of the Mac until a $300 fine was paid. If the user force-quit Safari, the ransomware would simply reload itself the next time Safari was launched.
  • FileCoder (June 2014): Although FileCoder displays a window demanding a ransom, it does not actually encrypt files and is, therefore, relatively harmless.
  • KeRanger (March 2016): Hidden within an authorized update of the Transmission BitTorrent client and signed with an authorized security certificate, KeRanger isn't blocked by macOS Gatekeeper. It encrypts files and demands one BitCoin as a ransom. According to Macworld, “KeRanger appears to be still under active development,” and is, therefore, still an active threat.
  • Filezip, aka Patcher (February 2017): Impersonating a patcher app (an app that provides access to commercial software without the user purchasing a license), Filezip encrypted the user's files and demanded a ransom of 0.25 BitCoin. The data could not be decrypted by Filezip, so paying the ransom was pointless.
  • Ransomware-as-a-Service (RaaS): Sold on the dark web, RaaS is a subscription-based or profit-sharing service that allows a cybercriminal to launch a ransomware attack quickly with little effort or experience.

While cybercriminals will continue to create and launch new forms of ransomware, it’s comforting to know that scary Windows ransomware like WannaCry cannot infect your Mac.

How Do I Know if My Mac is Infected with Ransomware?

That's easy!

A screen will pop up on your Mac, announcing that your files are being held hostage until you pay a ransom. The display will state how much you need to pay, methods of payment, and by when the ransom be paid. It may also say what will happen if you do not pay within the required time.

What Do I Do if My Mac is Infected with Ransomware?

First of all, stay calm and don't panic.

Mac Ransomware What Should I Do

Don't be in a rush to pay the ransom until you've thought things through and done your research, including rereading this article and contacting MacUpdate Support. We’ll do our best to help resolve the situation and recover your data.

Forums that you may want to visit should include the following:

Once that's done, follow these steps:

  1. Isolate the infected device: Disconnect all infected machines from the network, irrespective of the operating system, to keep the ransomware from spreading. At the same time, disconnect all other devices from your network, including:

    • Cloud storage
    • External hard drives
    • Shared network drives
    • USB drives
  2. Identify the ransomware: Knowing the strain of ransomware infecting your computer makes it easier for you to find a solution. The ransomware could be one of the following general variants:

    • Doxware: Threatening to reveal or sell sensitive personal information unless you pay a ransom, doxing entails sending an email rather than locking your files. You can use Avast Hack Check to see if your passwords have been leaked or stolen.
    • Filecoders: Demanding a ransom before a specific time, filecoders like KeRanger or MacRansom - a RaaS - encrypts files and promises to destroy, damage, or permanently lock your data unless you pay. About 90% of ransomware are filecoders.
    • Scareware: Attempting to scare you into paying for a fake Mac malware cleaning tool you don't need, scareware uses bogus web pages, pop-up ads, or scanning applications with counterfeit results. As long as you don't click on anything, this is the easiest type of ransomware to remove.
    • Lockers: Locking your screen and preventing you from accessing your Mac until you pay the ransom, the most common type of screenlocker is the FBI/MoneyPak scam.

    To identify the type of ransomware and download a decryption solution, visit Crypto Sheriff provided by Europol's European Cybercrime Center. If the tool recognizes the ransomware based on your input or file upload, it provides a link to the decryption program.

  3. Remove the ransomware: Once you know what type of ransomware you're dealing with, you can begin to deal with it one of the following ways:

    • Wait for it to delete itself: Once your files are encrypted, the ransomware might delete itself so as not to leave any clues that could lead to its encryption algorithm being rendered harmless.
    • Get rid of it using a tool: Use one of the tools MacUpdate users recommend. See below for a full list of free and paid tools.
    • Use a premium service to remove it: Although they probably won't be able to decrypt your files, some anti-malware or antivirus companies provide a paid service to help with ransomware removal. Contact your security software company to see whether they offer this service.
    • Remove it manually: If you are an advanced Mac user and none of the methods mentioned above work, you may want to remove the ransomware manually. Before attempting it - and only if you know what you're doing - consult the forums referred to above.
  4. Recover the encrypted files: Removing the ransomware won't restore your data, so that's the next step. Here are two options based on how good you are at looking after your system:

    • Restore from a backup: If you've been good backing your files up, the easiest and quickest way to get back up and running is restoring your system from your latest backup. It'll get rid of the ransomware and restore your files to the last backup version.
      If you use Mac's Time Machine, you can roll back your system to its state before the ransomware attack. See Restore your Mac from a backup to see how to restore from a Time Machine backup.
    • Use decryption tools: If you don't have any recent backups, search for a decryption tool for the ransomware that infected your Mac system. As a last resort, you might also search for file recovery software such as Wondershare Data Recovery for Mac.

How Does macOS Protect Against Ransomware?

Apple includes many safeguards against ransomware for Mac protection within macOS. These include:

  • XProtect: A background process that scans downloaded files as part of the standard procedure for quarantining files. Apple provides regular updates with new malware definitions.
  • Gatekeeper: One of macOS' main defense mechanisms against malware, Gatekeeper makes sure that downloaded software is signed by an identified developer and verifies that it is unaltered.
  • macOS Antivirus: Apple includes built-in antivirus software that blocks and removes malware before they can affect your Mac.
  • System Integrity Protection (SIP): Restricting components to read-only for specific critical file systems, SIP prevents the execution and modification by malicious code.

For a full list of Apple's built-in security for macOS, see macOS Security: Overview for IT.

How Do I Check for Ransomware on My Mac?

While the chance of you experiencing a ransomware attack is minimal, there's no harm in taking active measures to protect yourself by boosting your Mac security.

One tool you can use is RansomWhere?. A free app that runs in background mode, RansomWare? detects file encryption by identifying suspicious processes. Once identified, it halts the encryption process and notifies you of the threat. You choose whether to terminate the process or authorize it to run.

While some files may already have been encrypted before detection by RansomWare?, it should be minimal compared to what might have been.

How Do I Protect My Mac Against Ransomware?

How to Protect Against Ransomware

What are your best choices? Here are the top three ransomware tools our readers recommend:

Norton Security

1. Norton Security

Offering protection against both new and existing threats, Norton for Mac provides advanced, multi-layered security. It incorporates sophisticated anti-malware, anti-phishing, anti-ransomware, and anti-virus features, along with a smart firewall to safeguard your information and privacy against malicious attacks.

  • Version Reviewed: 8.1.2
  • System Requirements: OS X 10.10 Yosemite, macOS 10.12 Sierra, or higher.
  • Licensing: Subscription for one device is $79.99 per year.
Sophos Antivirus

2. Sophos Antivirus

Utilizing enterprise-grade endpoint protection technologies, Sophos for Mac blocks advanced cyberattacks, including exploits, malware, phishing, ransomware, and viruses. Easy to install and simple to use, the free version offers a 30-day trial of Sophos Home Premium which includes comprehensive ransomware protection.

  • Version Reviewed: 2.2.4
  • System Requirements: OS X 10.11 (El Capitan) or higher.
  • Licensing: A free version or a subscription-based version at $60/year.
Kaspersky

3. Kaspersky

Offering real-time protection through continuous monitoring executed in the background, Kaspersky Internet Security for Mac blocks cryptolockers, malware, and viruses before they infect your hard-drive. Both Kaspersky Internet Security and Kaspersky Total Security include protection against ransomware.

  • Version Reviewed: 20
  • System Requirements: OS X 10.12 (Sierra) or higher
  • Licensing: Three subscription-based versions (Internet Security for Mac, Internet Security, and Total Security) starting at $59.95/year with a 30-day free trial.

Should I Ever Pay Ransomware?

Once a ransomware notification appears on your screen, you have a decision to make: to pay or not to pay.

While you may want to sort the problem out as quickly as possible, we recommend that you NEVER negotiate or pay your attacker.

If you're inclined to ignore that advice, here are a couple of factors to consider:

  1. Many ransomware attacks are hoaxes, so the perpetrator may not even have the decryption key.
  2. Even if the attack is genuine, paying the ransom does not guarantee that you will receive the decryption key.
  3. If you do receive a decryption key, there is no guarantee that it will work.
  4. “There is no honor among thieves,” so you may end up paying a hacker who's been hacked, with little chance of getting any decryption key, let alone one that works.

How do I Protect Myself Against Ransomware?

By simply applying good security practices, you can protect yourself against ransomware:

  1. Maintain a complete backup of critical files and data in the cloud at all times.
  2. If you back up to an external drive, always disconnect after backing up so it can't be encrypted in the event of an attack.
  3. Never open an email attachment you're not expecting.
  4. Avoid using your administrator for day-to-day activities.
  5. Keep your browsers, operating system, and third-party software up-to-date with updates installed automatically.
  6. Secure passwords with Mac KeyChain password manager.
  7. Deactivate services that you don't use, such as Airport or Bluetooth.
  8. Only download and install apps from recognized stores.
  9. Use an excellent anti-malware program with layered protection. It should include deep scan capabilities to detect and proactively block threats such as ransomware.

The Bottom Line

Ransomware is an unwanted risk that can proactively be avoided. Protecting your Mac is relatively easy if you follow the steps outlined above.

If you do experience a ransomware attack, remember these two things:

  1. Don't panic
  2. Don't pay

However, the best thing to do is protect your Mac upfront.

Just follow our suggestions, and you'll be just fine.

Marta Turnbull

Marta Turnbull

Head of Community at MacUpdate

Marta Turnbull is a MacUpdate OG and has written about technology, marketing and brand creativity for over 10 years. She splits her time between Michigan and Ukraine.

Join over 500,000 subscribers.

Subscribe for our newsletter with best Mac apps offers from MacUpdate.