Malware regularly makes headlines these days. Although Macs are targeted far less than Windows PCs, Mac users, especially businesses, still need to remain vigilant. A particularly serious type of malware is called “ransomware” because once it infects your computer, it encrypts all your files and holds them for ransom.
Luckily, despite the virulence of ransomware in the Windows world, where there have been major infections of CryptoWall and WannaCry, only a few pieces of ransomware have been directed at Mac users:
- The first, called FileCoder, was discovered in 2014. When security researchers looked into its code, they discovered that it was incomplete and posed no threat at the time.
- The first fully functional ransomware for the Mac appeared in 2016, called KeRanger. It hid inside an infected version of the open source Transmission BitTorrent client and was properly signed so it could circumvent Apple’s Gatekeeper protections. As many as 6500 people may have been infected by KeRanger before Apple revoked the relevant certificate and updated macOS’s XProtect anti-malware technology to block it.
- In 2017, researchers discovered another piece of ransomware, called Patcher. This purported to help users download pirated copies of Adobe Premiere and Microsoft Office 2016. According to its Bitcoin wallet, no one had paid the ransom, which was good, since it had no way of decrypting the files it had encrypted.
As more businesses and large corporates adopt the use of Macs it is likely that malware authors will release additional Mac ransomware packages in the future. We encourage all our clients to stay aware of the potential risks to their business. It’s important for everyone in the company to be informed about what to do if they discover ransomware. But above all, business owners need to have suitable protection in place to protect the business’ data.
Macs are well protected
Apple deserves its reputation for the high levels of protection it affords users. But, it’s worth understanding a few key terms and technologies. Apple’s Gatekeeper technology protects your Mac from malware by letting you launch only apps downloaded from the Mac App Store. Or those that are signed by developers who have a Developer ID from Apple. Since malware won’t come from legitimate developers (and Apple can revoke stolen signatures), Gatekeeper protects you from most malware. However, you can override Gatekeeper’s protections to run an unsigned app. Therefore, you should only do this for apps from trusted developers. Even if you never override Gatekeeper, be careful what you download.
Apple’s XProtect technology takes a more focused approach. It checks every new app against a relatively short list of known malware and preventing apps on that list from launching. Make sure you leave the “Install system data files and security updates” checkbox selected in System Preferences > App Store. That ensures that you’ll get XProtect updates. Similarly, install macOS updates and security updates soon after they’re released. This protects against newly discovered vulnerabilities that malware could exploit.
Also, consider running anti-malware software; we recommend and use Webroot Endpoint Protection.
Although regular backups with Time Machine are usually helpful, KeRanger tried to encrypt Time Machine backup files to prevent users from recovering their data that way. Similarly, a bootable duplicate updated automatically by Carbon Copy Cloner could end up replacing good files with encrypted ones from a ransomware-infected Mac. Or a future piece of ransomware could try to encrypt other mounted backup disks as well.
Backup is still critical
The best protection against ransomware is a versioned backup made to a destination that can be accessed only through the backup app, such as an Internet backup service like Backblaze or CrashPlan. The beauty of such backups is that you can restore files from before the ransomware encrypted them. Of course, it’s vital that you’re regularly checking that your backups are running as they should.
What to do if you discover ransomware
If you do find you’ve been infected with ransomware, don’t panic. And definitely don’t pay the ransom right away. Dr Logic clients should contact us straight away so we can help you work through your options. This might entail restoring from a backup or bringing files back from older cloud storage versions. There are even decryptors for some Windows ransomware packages, and such utilities might also appear if we were to see the emergence of Mac ransomware.
To reiterate, there’s no reason to worry too much about ransomware on the Mac, but it pays to make sure you’re doing all you can to keep your data safe. Make sure you’re allowing Apple’s XProtect to update. Install macOS updates promptly. And talk to an expert about having the right backup solutions in place for your business. You also need to make sure your staff are aware of the risks and there’s some useful information over on our previous blog post about Cybercrime.