What You Should Know about Mac Ransomware

Dec 30, 2021 | Cybersecurity

In today’s modern world, protecting your computer and the files it contains is more important than it’s ever been. For businesses in particular, a functioning computer can be the difference between staying afloat and financial ruin. If your device becomes compromised, you can lose access to scheduling, business documents, tax records and even private company information. Access to important company files is crucial for any business — and hackers know it.

That’s why it’s important to be well-educated on ransomware and how it can affect your Mac or other Apple device. Once you know what ransomware is and how it functions, you’ll be better able to protect your information from those who would use it to extort you. 

What is Mac Ransomware? 

If you work with computers on a semi-regular basis, chances are you’re familiar with the term malware. The internet is full of suspicious programs that will shut down your computer, mine your personal data or worse. However, you may not be familiar with the specific brand of malware known as ransomware. 

Ransomware is malware that activates when you download or interact with an infected link or program. Once activated, it encrypts your computer’s files, making them impossible to access without the decryption key. The user is forced to pay a fee — the titular “ransom” in ransomware — in order to get this key. Mac ransomware is ransomware specifically made to target Mac users. 

While Windows users are usually more susceptible to ransomware attacks than Mac users, Macs still aren’t completely immune. Even with their built-in security systems, it’s possible for a ransomware program to slip through. What’s more, if you’re running Windows on a Mac, your Mac will be just as vulnerable to ransomware attacks as a Windows-running PC. 

Thankfully, even with the loopholes and the advancement of modern technology, ransomware attacks on Macs are still relatively rare. The security system built into macOS by Apple makes it difficult for outside sources to encrypt your files. However, the number of successful Mac ransomware cases has been growing, and is expected to continue to grow over time. This is because ransomware, like malware and all other forms of programming, evolves and changes over time. 

Types of Mac Ransomware

Ransomware can appear in several different forms. Being able to recognize and avoid potential ransomware is the first and most important step in keeping your device safe. 

PUPs

Potentially unwanted programs (PUPs) are exactly what they sound like — programs downloaded onto your computer that you might not have wanted downloaded in the first place. These programs often come in conjunction with programs you do mean to download, with their presence explained in the user agreement — which, unfortunately, few people read in full. 

Here are a few noteworthy instances of PUPs: 

  • Bird Miner: A program meant for mining the cryptocurrency Monero. Once downloaded, the program installs a virtual machine called Qemu into the affected device. This virtual machine eats up processing power, slowing down or even crashing the computer. 
  • Lazarus programs: Malicious programs from the North Korean hacking group known as Lazarus. They usually come in the form of cryptocurrency mining apps or stock trading apps. Once downloaded, they can potentially install malicious files into the system.

As you can see, not all PUPs are ransomware. However, they are an easy avenue for ransomware to enter your device. 

Adware

Adware is software that automatically downloads advertising material while the device is active. This leads to ads popping up automatically on your screen. Malicious adware can also modify preexisting files or settings on your computer. There are several different ways adware can do this: 

  • Modified Safari: While obscuring your screen and desktop icons, the adware program installs a modified version of the Safari browser and launches it while deleting the original copy. 
  • Malicious profiles: System-configuration files installed with the profile’s command-utility line. Once installed, they lock the user out of their Safari or Google page settings, meaning you can no longer set a new search engine or change your homepage. 
  • Managed preferences: Similarly to the malicious profiles form of adware, this form alters your browser settings. However, these changes can be removed by deleting the inserted files from the Managed Preferences folder. 
  • Sudoers files: Sudoer files on your computer determine who can get root permissions. From these files, adware can set a no-password rule for certain processes, allowing instant access to them. Malicious adware can set this no-password rule to all processes, which can leave you extremely vulnerable to future malware attacks. 
  • Man-in-the-middle: This malware operates as a middleman between your device and the internet. Instead of having your signal sent directly, it first passes through the malware, meaning that it has direct access to your searches and any personal information you input. It can also inject new information into the returning signal, such as advertisements. 
  • Data collection: Data collection is an integral part of any ad campaign. Some adware collects information such as your IP address, what version of Safari you use, your username and more. Malicious adware can create a list of every application you have installed on your device and send it to the adware author. 

Once again, not all forms of adware contain ransomware. But with so much access to your device and its files, it would be all too easy for a malicious adware program to encrypt your information. 

Famous Mac Ransomware Attacks

Although Mac ransomware attacks are relatively rare when compared to ransomware attacks on other devices, there have been several notable ones over the years: 

FBI Ransom

While not technically an instance of ransomware, as the attack didn’t involve any installed malware, this virus still involved a ransom demand. Malicious links, once clicked, would redirect users to a fake FBI page and claim their browser had been locked due to criminal activity. The page would then demand a payment to unlock the computer, while making vague threats about future legal action if the demands were not met. 

Attempting to close the page would lead to a pop-up blocking the action, and shutting down the Safari only led to the page reopening once the browser was relaunched. The only way to close the page and end the problem was to either reset Safari or force quit it from the Apple menu. 

FileCoder

This ransomware code was found by researchers in 2014. The code was about two years old but had never been completed. It was made to target OS X and macOS, and while it didn’t include an encryption feature, it did have a pop-up demanding a ransom, with a discount offered if a credit card was used for payment. 

Oleg Pliss

Similar to the FBI ransom incident, this attack didn’t use true malware. Instead, a hacker going by Oleg Pliss locked users out of their iCloud accounts and linked devices using leaked passwords. Once they had control of the account, the hacker could remotely lock and unlock the devices and hold them for ransom. If the user didn’t meet demands, the hacker could even wipe the device. 

Thankfully, repeat instances of this event can be easily avoided by implementing two-factor verification on your device. 

KeRanger

This ransomware program affected over 7,000 Mac users in 2016. Users looking to download Transmission, a popular BitTorrent client, would find their files encrypted upon downloading an infected copy. It also attempted to encrypt Time Machine backups, which would have locked users out of connected backup files as well as their current copies. The ransomware was signed with an official developer certificate, so it bypassed macOS’s built-in security program. Apple soon pulled the certificate, and Transmission pulled the infected files, bringing the matter to a close. 

Patcher

Another BitTorrent-transmissable ransomware program appeared in 2017. The program was disguised as a software patch for popular apps such as Microsoft Office — ironic, considering the program itself would have benefitted from a patch update. The code was poorly written, and the hackers either failed or forgot to include a way to send their victims a decryption code once the ransom money had been sent. Once this program encrypted a device, it was encrypted permanently. 

ThiefQuest/EvilQuest

Perhaps one of the most unique examples on this list, ThiefQuest was a ransomware program that wasn’t actually ransomware at all. It first appeared in 2020 and spread through torrents and modified apps. Once downloaded, it encrypted files and uploaded a ransom note to the device. However, upon further inspection, researchers realized the program lacked the features of usual ransomware, such as the ability to distinguish where payments were coming from. Eventually, it was discovered that ThiefQuest was data-collecting malware, with the ransomware front meant as a distraction. 

How to Protect Your Company’s Apple Devices against Ransomware

With so many types of ransomware floating around the internet, you may be paranoid about your device’s safety. For business owners in particular, the fear of losing their company’s information to ransomware is a valid one. Losing access to important files can send your business grinding to a halt, and even if you can afford the ransom, that’s no guarantee you’ll get your files back. 

Fortunately, there are several steps you can take to ensure the safety of your company’s devices: 

  • Keep your software updated: Out-of-date apps have less protection against malware than their full-updated counterparts. Make sure to keep both your operating systems and the apps you use fully updated at all times. 
  • Install carefully: An easy way to get any malware on your device is to open suspicious links or download unknown programs. Only install apps from places you trust, such as official websites or the Apple store, in order to avoid PUPs bundled with torrented programs. If you receive emails with suspicious links, even if they’re from an email you recognize, don’t open them. 
  • Back Up frequently: Backing up your information is a safe practice regardless of circumstances. Make sure to regularly back up your information and store it somewhere secure. It’s possible for ransomware to encrypt backups that are connected to your device, so it’s important to keep a separate copy. 
  • Install an antivirus program: A good antivirus program will stop you from downloading most ransomware. Make sure your device is equipped with one. 
  • Consider a ransomware program: The free RansomWhere? app runs on your computer and checks for rapid file encryption. If it detects encryption in line with a ransomware attack, it halts the process and alerts the user. Some files may still be encrypted, however. 

If you’re still unsure about the safety of your device, consider getting a professional consultation. Pickorchard offers consultations to assess your business’s network, pinpoint any weak spots, remove old accounts and trojan programs, and make sure your devices are up-to-date. 

Even after taking these steps, it’s possible that a ransomware program could slip into your computer. If it does, here are the steps you can take to salvage the situation: 

  • Disconnect from storage: Once you see your files becoming encrypted, remove any external hard drives, disconnect from any network shares, and make sure your device isn’t connected to any other removable storage devices. This prevents the information saved there from becoming encrypted too. 
  • Don’t pay: As shown in the Patcher case, some ransomware programmers are unable to send you a decryption key once you’ve paid the ransom. Others can, but will simply take your money and leave — after all, they’re under no legal obligation to help you. Losing money and still not getting your files back adds insult to injury, so even if your first instinct is to pay the ransom, don’t. 
  • Uninstall: If you know what file caused the encryption and it’s possible for you to delete it, do so. 
  • Deep scan: If the ransomware plaguing you is a known variant, it may be possible to remove it. Make sure you’re running the latest version of a Mac-compatible antivirus program, such Bitdefender Virus Scanner or AVG Antivirus for Mac. Use the program to run a Deep Scan on your device and remove the ransomware. 
  • Restore files: This is where your backups come in handy. Currently, there isn’t much a Mac user can do to decrypt their files without a key, so the best way to restore the files is to upload them from your backup. Be sure to only do this if the ransomware is gone — otherwise, the program will simply encrypt your backups. 

If you require further assistance in removing the ransomware and recovering your files, Pickorchard offers crisis response guidance as well as help desk support. 

Conclusion

It’s more important than ever that business owners are able to protect their information. Even with the built-in security offered by Apple products, ransomware can slip by and render your files unreachable. Be careful what you download and make sure to keep your device fully updated at all times. If you do become infected, keep calm, don’t pay and make sure the ransomware is gone from your device before restoring your information from backups. 

If you’re still unsure how to protect your Apple products or what to do if your device does get locked, consider contacting Pickorchard. We offer Apple IT services — specifically Apple device management — to any businesses using Apple products.