Macs and Ransomware

While ransomware on Windows has been a growing concern for many years now, ransomware on Macs is a recent phenomenon.

Before we delve into the specifics on Mac ransomware, let’s briefly go over how it works. Ransomware is a type of malware that encrypts your files without your permission, and then demands a ransom – often in the form of cryptocurrency like Bitcoin – in exchange for the decryption key. Over recent months and years, there have been several notable ransomware attacks, including WannaCry, Petya and DoppelPaymer, to name a few. The WannaCry ransomware affected organisations including NHS England in 2017, where an out-of-date version of Windows XP left many vulnerable to malware. Another major ransomware attack, Petya, also hit in 2017, just months after WannaCry; this ransomware attack also spread due to a vulnerability in Windows operating systems. But both of these devastating ransomware attacks only affected machines running Windows operating systems.

While Macs are less vulnerable to ransomware attacks – in fact, the first Mac ransomware only appeared in 2016 – that doesn’t mean they are immune altogether. Although incredibly rare, Mac ransomware is out there, so it’s important to stay vigilant. In 2016, the KeRanger ransomware appeared. Infecting Macs through a compromised update of the Transmission BitTorrent client, KeRanger was the first real example of Mac ransomware. Because KeRanger is signed with an authorised security certificate, it isn’t blocked by macOS’s built-in security system, Gatekeeper. The ransomware decrypts files, leaving a .txt file with the ransom demand in BitCoin. Thanks to the fast action of Apple, it was halted before it came a serious threat – but it showed that Macs were as susceptible to ransomware as PCs. In 2017, the Filezip ransomware appeared. Masquerading as “cracks” – tools to illegally patch software such as Microsoft Office – the ransomware encrypts the unsuspecting victim’s files. What makes this ransomware particularly troublesome is the fact that the key used to encrypt the victim’s data is never uploaded to a server, so even if the ransom is paid, no decryption key will be provided; the only way to get the data back is to restore it from a backup.

In recent weeks, the ThiefQuest ransomware has also come to light. As well as being a ransomware, ThiefQuest has a whole host of other spyware capabilities, allowing hackers to access details like passwords and credit card details as the infected user types them in. Like Filezip, the ThiefQuest ransomware disguises itself as software on torrent websites. It’s believed that the ransomware capabilities are secondary, and may not even particularly effective. Nonetheless, this new Mac malware highlights the dangers of ransomware. Researchers have noted that ThiefQuest won’t run if it detects antivirus software in the background.

To protect your Mac from the threat posed by ransomware, make sure you only download installers from trusted sites, and be especially wary of cracks that claim to provide expensive software for free. You should also be careful when opening email attachments, as this is another common way for hackers to compromise your system. Finally, always make sure you have an up-to-date antivirus tool installed on your Mac.

Mac Ransomware