#HowTo Deal with Apple Ransomware

Written by

Despite the fact that Macs are equipped with robust defenses against malicious code, some infections can get around these mechanisms. Prevention is certainly the best cure, but what to do if a harmful program such as ransomware has compromised your computer? The good news is, you should be able to recover from the attack in most cases. Complete remediation could be a challenging task, though.

Can you purge ransomware from your Mac?

If ransomware has plagued your Mac machine, don’t panic – both removal and data restoration are usually feasible, although, in some scenarios, this is easier said than done. There are ransomware strains that thwart the recovery of encrypted files unless you purchase the secret decryption key from the attackers. The increasing complexity of these raids means the victims have fewer options to reinstate their important data.

The appropriate method of troubleshooting depends on the type of Mac ransomware you are confronted with. If the FBI MoneyPak hoax has locked down Safari, you can sort out the issue by simply clearing the browser caches and history.

File-encrypting ransomware is much more dangerous because it renders data inaccessible by means of cryptography. If such an attack is underway, removing the malicious code is half the battle. The most common forms of Mac ransomware are as follows:

  • File-encrypting malware, or file coders, scramble data on your Mac by leveraging a cipher, where the operators of these campaigns instruct their targets to submit a ransom for private decryption keys. This category accounts for roughly 90% of all ransomware onslaughts.

  • Screen lockers – the term is self-explanatory. These culprits prevent you from accessing your Mac or specific features by locking the screen or web browser. Then, they instruct the victims to pay for regaining access. The FBI MoneyPak fraud typifies this particular attack vector. Whereas screen lockers are more frequently encountered on mobile gadgets, Macs can be targeted as well.

Is Mac ransomware a serious threat?

In contrast to a widespread misconception, Mac computers are susceptible to ransomware and other types of predatory code. They used to be considered invulnerable because cyber-criminals mainly zeroed in on Windows PCs due to their larger user audience.

To its credit, macOS boasts highly effective defenses against malicious software and therefore Macs are more difficult to infect. Furthermore, notorious ransomware such as NotPetya and WannaCry simply won’t run on a Mac because they cash in on security flaws inherent to the Windows architecture.

Although Macs are less likely to get hit, relying on their native protection alone is a risky business. Mac malware authors are constantly refining their techniques and these attacks are rapidly evolving.

Determine the strain of Mac ransomware that hit your system

As soon as you have isolated the contaminated machine, the next thing is to find out which variant of ransomware you are faced with. The worst-case scenario is if you encounter species like KeRanger, which are known to utilize strong crypto to mutilate files. Unlike these file coders, screen lockers are much easier to handle.

It’s a good idea to take a shortcut by using the Crypto Sheriff service by the No More Ransom Project. This tool quickly identifies the strain of ransomware based on its ransom note and file encryption technique used.

Also, do your homework and browse reputable tech support forums to learn more about the Mac ransomware family you have come across. Malware researchers provide the latest details in the dedicated threads so that victims can easily find out whether the data is decryptable and follow additional security recommendations to minimize the damage.

There are Mac ransomware pests that blemish encrypted files with a specific extension and drop a rescue note onto the victim’s home screen and into directories with hostage data. For instance, the FindZip ransom Trojan appends the *.crypt string to every affected file and sprinkles decryption instructions named README.txt, DECRYPT.txt, or HOW_TO_DECRYPT.txt across the breached Mac.

Eradicate ransomware from your Mac

There are several strategies you can use to get rid of the ransomware:

Wait for the offending program to uninstall itself, which is often the case - Having encrypted one’s files, some types of ransomware run certain commands to remove themselves from the host computer. From the attackers’ perspective, this is a way to prevent their code from being extensively analyzed. In-depth scrutiny may reveal loopholes potentially allowing researchers to find weak links in the encryption logic and create a recovery tool.

Use automatic security solution for Mac - Thankfully, there are quite a few effective Mac anti-virus tools to choose from. They can identify and delete mainstream ransom Trojans in a hassle-free way. An additional benefit of using a reliable security suite is that it will safeguard your machine against emerging threats further on while stopping any unauthorized file encryption attempt in its tracks.

Remove the infection manually - This tactic is the hardest to implement and requires advanced tech skills.

Step 4: Get your data back

Ransomware removal is important but it doesn’t reverse the sketchy encryption. Peruse the methods below to try and recover your valuable files:

Restore from a backup - The easiest and most effective way of reinstating your data is to download it from backup storage unaffected by the ransomware. This technique is applicable if you have been regularly backing up your files to the cloud or external media.

Even if this isn’t the case, though, you still have a good chance of accessing your important files by means of Time Machine, a backup feature built into your Mac. Not only does it allow you to roll your operating system back to its earlier state, but it can also restore previous versions of your files from local snapshots.

Another worthwhile option is to go into your iCloud account and check it for images and documents retained by Apple apps you use. In some cases, automatic data recovery tools such as Wondershare Data Recovery for Mac might come in handy.

Leverage decryption software - Cybersecurity analysts have succeeded in cracking the cryptographic implementation of some ransomware lineages. For example, there is a free tool that decrypts files locked by the above-mentioned FindZip threat. This is the exception rather than the rule, though.

Most Mac ransomware infections in the wild cannot be decrypted for free at this point. If one of them has made a mess of your data, you have basically two options: restore the files from a backup, or wait and hope that researchers will create a recovery tool in the near future.

How to mitigate the damage from a Mac ransomware attack?

First things first, make sure you keep your data backed up. At the very least, configure the Time Machine tool to make regular automatic backups of your valuable files. As an extra layer of protection, prioritize your files and additionally keep copies of the most important ones on external media such as a thumb drive or a hard disk. Keep in mind that a decent backup strategy makes a ransomware attack futile regardless of the strain you are dealing with.

What’s hot on Infosecurity Magazine?