An Apple Admin’s Guide to Mac Ransomware

Ransomware is a class of malware that uses encryption to hold a target’s files (or even their whole system) hostage until they agree to pay to have them released.

The average ransomware client will begin encrypting files on a device the instant it is run, generating a unique cryptographic key for that device and then sending that key to a remote server controlled by the attacker. Once this process is finished, and assuming the malware developer didn’t screw something up when implementing the encryption, the victim will have no way of accessing those files without getting the key from the attacker.

This is not new—the basic idea was first put forward by a pair of researchers at Columbia in 1996 in a paper partially inspired by the facehuggers from the movie Alien. Yet ransomware only really started to be something IT admins routinely dealt with in 2012. That’s the year that Bitcoin had its first big spike in adoption, and when cybercriminals discovered that cryptocurrencies were an ideal way to safely collect ransom. Traditional digital payments technologies were reversible through a chargeback, which left them useless for this purpose because the victim could simply reverse the charges once they got the key to their files. Crypto payments, on the other hand, are usually irreversible.

In the PC world, ransomware has become a big problem, and it’s still growing— the security firm SonicWall said it shot up 229% last year. The canonical example of Windows ransomware is the aptly-named WannaCry, which affected 200,000 computers in 150 countries in 2017 and caused $4 billion in damages.

In the Apple world, you probably have not had to deal with ransomware yet. But given the scale of the attacks—and the associated media feeding-frenzy around them—you might find yourself fielding questions from your boss about the company’s exposure to ransomware and what can be done about it. It doesn’t hurt to have an answer. As Apple devices continue to grow their market share within the enterprise, they’re only going to become a more attractive target. Even if ransomware seems like a remote threat now, it might not stay that way.

So here’s a little guide to ransomware attacks in the Apple universe, including one attack that’s not technically ransomware but which you’re statistically more likely to encounter. Hopefully it helps you set people’s minds at ease.

How big a problem is ransomware on Macs?

First off, a sanity check: How scared should Apple admins be about ransomware?

The answer: Not especially.

Although it’s a myth to say that macs are immune to malware, it is true that malware is far less common on Apple devices than PCs. This is mostly down to the size differential between the PC and Mac ecosystems, which just makes it far more lucrative to develop viruses that target Windows.

Within the comparatively small world of Mac malware, ransomware is smaller still. The first true ransomware attack against an Apple device didn’t happen until 2016, and it was tiny compared to the world-spanning threats that grab headlines in the PC world.

That said, rare does not mean non-existent. Mac ransomware does exist, and it’s quite possible it might find its way onto your machines. It might even cause more trouble for you than it would for the average Windows admin if you’re not used to dealing with it. So while it’s not something to freak out about, you should be aware of the kinds of attacks you might face and have a strategy for stopping them.

Examples of Mac Ransomware

FileCoder (2014)

FileCoder was the first example of Mac-specific ransomware ever observed by security researchers. It was found discarded by its developer in an unfinished state, and there’s no indication it was ever actually completed or released into the wild. Indeed, it seemed to be more of a proof of concept than anything, and what little buzz it might have generated in the security community quickly dissipated when the flood of ransomware attacks it heralded never materialized.

KeyRanger (2016)

KeyRanger was the first real macOS ransomware attack, infecting about 7,000 machines in 2016.

It’s a good illustration of the difficulties malware in general faces on Macs. Since Macs require developers to cryptographically sign their work before it will run unmolested on Apple devices, it’s often harder to spread the kind of dodgy downloads used to camouflage malware.

The people behind KeyRanger got around this by hacking the developers of a legitimate app, Transmission, a popular bittorrent client. Users who downloaded Transmission from the developer’s website found that KeyRanger had tagged along for the ride and would start encrypting files the first time it was run.

Yet having a single transmission point like this really limited the possible scale of the attack—it was very quickly found and eliminated by the Transmission devs, and Apple revoked the certificate used to sign it and updated its internal xprotect anti-malware definitions to block it. If Apple decides to enforce notarization on all apps in future versions of macOS, as it's expected to do, then this kind of hijacking will only get harder in the future.  

Although the initial attack didn’t get very far, KeyRanger lives on in that variations on it are still the most common Mac ransomware encountered in the wild. Many of these are broken in such a way that they never actually escrow the encryption key anywhere, meaning they just permanently mangle the files they seek to ransom. The good news is that they’re also unlikely to work at all, especially if your OS is up-to-date.

Patcher (2017)

Patcher is the most recent notable macOS ransomware variant to spread in the wild, and it’s mostly notable for how shoddily put together it was. It first started popping up on bittorrent networks in 2017, masquerading as cracking utility for Adobe Creative Suite and Microsoft Office.

Once run, Patcher displayed a bogus progress bar to distract the target and went about the business of encrypting their files. There was just one problem—whoever made it neglected to include code to escrow the key to a command and control server, so there was actually no way to recover the files once they were encrypted. It also tried a couple of other things that failed due to typos in its source code. All in all, it was not a very successful attack—there’s no indication that anyone ever made payments to the bitcoin address provided for the ransom.

Ransomware that isn’t: Remote Lock Attacks

There is one class of “ransomware” attack that bares mentioning here, even though it doesn’t technically qualify. That’s a remote lock attack through iCloud and FindMyMac.

The reason this isn’t technically ransomware is that there’s no malware involved. Instead, attackers take advantage stolen credentials to log in to a targets’ iCloud account and then use FindMyMac to remotely lock their device. The attacker then contacts the target and offers them the pin code used to unlock the device in exchange for money.

In most cases, the attacker will have gained the target’s login information as a result of a 3rd party data breach, and then gotten access to their iCloud account through a credential stuffing attack. So if we’re splitting hairs this is actually password security failure, not a ransomware attack.

How do you know this is what you’re dealing with? You’ll see a screen like this:

Source: MacRumors

This is by far the most common type of “ransomware” attack a Mac user might encounter. Fortunately, it’s largely avoidably by following password security best practices. And it’s actually even more simple to deal with than a real ransomware attack, because the attacker doesn’t have the sole ability to unlock your files. Assuming you have a record of purchasing the device, you will be able to go through Apple support to reset the iCloud credentials and reclaim the device. This can be a time sink and is probably going to be very, very annoying, but it’s also free.

If it’s a device that you have enrolled in User-Approved MDM, then recovery will be even easier because you can simply send an MDM command to unlock the device.

Protecting yourself from Mac ransomware

Even if ransomware is not the most pressing threat you have to think about, an ounce of prevention goes a long way. Fortunately, the things you should do to protect yourself from it are ALSO things you should be doing anyway for more general security:

  • Practice good password security. This is Exhibit A for things you should be doing anyway—good password security is too important and too easy to ignore. It’s especially important with regard to the remote lock attack above, because it doesn’t take much (2-factor, not reusing passwords) to make this attack far less likely.
  • Keep your OS up to date. Again, this is just good practice anyway, because staying on the most up-to-date OS is the only way to be eligible for every security patch—n-2 support is a myth. As new ransomware variants pop up at a comparatively sluggish pace in the Mac ecosystem, however, staying up to date is even more effective at combating it than normal.
  • Manage your device through an MDM provider. This will help you with general security, but also provides an easier path to remediation if the device is targeted for a remote lock attack.
  • Maintain backups through TimeMachine. For the most part, Mac ransomware doesn’t deny access to the entire device, but rather specific files and folders that are easily restored from a TimeMachine backup. This isn’t universal, of course. It is certainly possible for ransomware to also attempt to delete or encrypt TimeMachine disk images. Yet to date none of the major variants encountered have done this—perhaps a symptom the lower sophistication of Mac ransomware when compared with Windows. Cloud backups, obviously, provide an even greater level of protection.

If you do get attacked: dealing with Mac ransomware

Even given how uncommon Mac ransomware is, even with good security practices, there’s still a remote possibility that it somehow shows up on one of your devices. Sometimes you’re just unlucky—it happens.

If so, there’s just a few points to keep in mind:

  • Don’t pay. Paying someone to unlock your files is generally a bad idea, and should be seen as an absolute last resort. That goes for paying the scammer, obviously, but it also goes for various third party vendors that promise to recover files lost to ransomware. Although in some cases it is possible to recover a file without the key if the encryption was poorly implemented, many of these companies simply pay the ransoms, making them little more than costly middlemen.
  • Block the ransomware to prevent it from spreading. No mac ransomware encountered to date has had the ability to propagate itself, but there’s no reason to take chances. Even without this, there’s a good possibility other users could inadvertently infect themselves through whatever vector it showed up in the first place. Blacklisting is often something you can do through your MDM provider—Fleetsmith offers the ability to block binaries at the kernel level in a couple clicks, for example.
  • Restore the files from backup. As mentioned earlier, in many cases Mac ransomware will ignore TimeMachine backups, so you should be sure to check if this is the case before you consider other options. If your TimeMachine images are untouched, you should be able to restore the affected files without paying.

Ransomware may not be a huge concern for you at the moment, but an ounce of preparation beats a ton of regret. Armed with a little knowledge, a good security culture, and strong security practices, you should be ready to respond if it becomes a problem.

Subscribe to Fleetsmith Blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!