Many of the most prolific ransomware attacks to hit the news, such as Wannacry and Petya in 2017, affected PC users only. The distinct absence of Apple computers in the long list of victims has many Mac users wondering if ransomware attacks are a cyber threat they need to worry about.
Can ransomware affect Macs? Short answer: Yes. While rare, security researchers have noted examples of Mac-compatible ransomware variants.
This post explores how ransomware affects Macs and other Apple devices, and how you can stay protected.
What is Ransomware?
Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware spreads through phishing emails, malvertising, visiting infected websites, or exploited vulnerabilities.
Ransomware attacks cause downtime, data leaks, intellectual property theft, and data breaches.
Hackers usually demand ransom payments in cryptocurrency, like Bitcoin, usually ranging from a few hundred to hundreds of thousands of dollars.
Learn more about how ransomware works.
Mac Ransomware Examples
Below are some known examples of Mac ransomware. Unlike PC ransomware attacks, none of these attacks have resulted in a significant outbreak.
FBI Scam (July 2013)
Windows users have long suffered from FBI scams in their web browsers. Pop-up alerts purporting to be the authority demanded money in exchange for “unlocking” the user’s browser.
Apple remained relatively untouched by this amateur ransomware attempt until Apple users began reporting a similar issue in Safari. Unsuspecting Safari users who landed on the imposter FBI webpage became unable to navigate elsewhere, even after force-quitting the browser.
FileCoder (June 2014)
Security researchers discovered FileCoder with a malware scanner, but its origins remain unknown. The malware poses as cracking tool for Adobe and Microsoft Office products for Mac computers. FileCoder doesn't currently encrypt any files aside from the files it installs itself as the attacker never completed the ransomware.
The site demanded payment of a $300 “fine” to restore Safari’s operations. Apple promptly updated its operating systems to provide better protection against future web-based ransomware attempts.
Gopher (September 2015)
A malware researcher created Gopher as a proof of concept to show how easily the originally Windows-based ransomware could operate on Mac OS X via C code lines and an external crypto library. Gopher typically spreads via spam emails, email attachments, corrupted websites, and software installers.
Mabouia (November 2015)
Mabouia is another proof of concept created by a security researcher to prove the high possibility of ransomware attacks on Macs. Mabouia uses C++ code and can encrypt user files with 32 rounds of the XTEA cryptographic algorithm.
KeRanger (March 2016)
Palo Alto Networks discovered trojan horse ransomware KeRanger via a compromised installer for Transmission, a BitTorrent client. KeRangers disguised as a .rtf file that infects Mac OS devices once executed. The ransomware infects all files, placing a “readme_to_decrypt.txt” file in each folder.
The text file informed victims of the attacker’s demands, with instructions on receiving a decryption key from the attacker – usually a ransom payment of 1 BitCoin. As KeRanger used a legitimate Apple security signature, the ransomware was able to infect almost 7,000 Mac users before the company stepped in and revoked certification.
Patcher (February 2017)
Patcher was first discovered by internet security company ESET, posing as a cracking tool for Adobe Premiere Pro CC and Microsoft Office for Mac on BitTorrent sites. Once launched, the ransomware encrypts all of a user's files and places a .txt doc in each encrypted folder demanding 0.25 BitCoin.
Paying the ransom is redundant as FileCoder does not provide a decryption key. FileZip does not hold Apple certification, preventing it from opening on Mac OS devices by default.
ThiefQuest (June 2020)
Antivirus software company Malwarebytes became aware of malware found in pirated copies of the Mac OS application Little Snitch and software Mixed In Key 8, available on a Russian torrent forum called Rutracker. The Mixed in Key installer’s ransomware was able to successfully encrypt some settings files and other data files, such as the keychain files.
How Does Apple Prevent Ransomware on Macs?
Apple has included many built-in threat intelligence processes to improve Mac security against malware, including three layers of defense.
Mac OS uses the following cybersecurity mechanisms to provide this defense:
- XProtect: Anti-malware software
- Gatekeeper: Software verification functionality
- Notarization: Malware scanning service
The three layers of defense and their respective mechanisms are listed below.
- Preventing the launch and execution of malware attacks: App Store, or Gatekeeper combined with Notarization.
- Blocking malware from running on user systems: Gatekeeper, Notarization, and XProtect.
- Remediating executed malware: XProtect.
Learn more about Mac’s malware protection.
Can Other Apple Devices Get Ransomware?
iPhones and iPads are also at risk of ransomware. A modern type of cyberattack called iCloud hijacking occurs when a hacker reuses compromised passwords from a wide-scale data breach. The first instance of iCloud hijacking, Oleg Pliss, appeared in 2014.
The hacker used stolen passwords to gain unauthorized access to Apple users’ iCloud accounts. Once signed in, they immediately changed the passwords. Using the Find My iPhone app, the hacker remotely blocked access to the iOS devices before demanding a ransom to restore access.
While not an attack directly tied to Apple’s security measures, Oleg Pliss highlights the need for organizations to effectively manage their third-party risk to prevent future data breaches. In September 2020, Apple released a Security Recommendations feature that detects saved passwords that have been compromised in a data leak.
Learn more about Apple’s Security Recommendations feature.
How to Protect Your Apple Device From Ransomware in 2022
From the examples above, it’s clear that Apple users should also take their own defensive measures to prevent ransomware infection. Even though there have not yet been any Mac ransomware attacks as severe as those on PCs, the threat is still very real and could emerge at any time.
Here’s some tips to protect against malware on your Mac and other Apple devices, including iPads and iPhones:
1. Use Reputable Software
Most of the ransomware attacks on Macs have been through torrenting sites offering free versions of commercial software. Pirated software is an easy attack vector for cybercriminals, as they don’t require a verification process and anyone can upload it.
Downloading pirated software is illegal and could easily prove much more costly than purchasing the official version if it’s infected with ransomware or another type of malware – which it likely is.
2. Keep Your Devices and Apps Updated
Keeping your Apple device and installed apps up to date ensures that they have security patches for any identified vulnerabilities. Installing these updates as soon as possible is crucial to ensuring your device doesn’t become infected by a zero-day – an easy entry point for hackers. Apple devices enable automatic software updates, making the process much more convenient.
Learn how to enable automatic updates in Mac OS.
Learn how to enable automatic updates in iOS.
3. Use Official Software Sites Only
If you need to update your software, only use the official site. Ignore unexpected browser pop-ups prompting you to update your software – the official provider will usually update you in-app or via system alerts. You can also check for updates on the provider’s update page.
Double-check the website’s URL in the address bar before downloading anything. Hackers often use similar web addresses to official sites to trick unsuspecting users – a technique called typosquatting.
Learn more about typosquatting.
4. Perform Regular Backups
If you’re infected by ransomware, it’s highly advised not to pay the ransom as there’s no guarantee the attacker will provide a decryption key. There are many free decryption tools available for well-known PC ransomware variants. However, these are not as readily available for Macs or other Apple devices. The lack of sophisticated Mac OS ransomware means that identifying a decryption method could prove more difficult for security experts.
Instead of relying on a decryption tool alone, you should back up your data regularly. If you fall victim to ransomware, it’s best to completely wipe your system and perform a backup from a date before the attack.
Learn a strategy for obfuscating ransomware attack attempts.
5. Secure Your Internet Connection
Hackers can use specialized tools and techniques to intercept internet traffic – this is especially easy to do over public wi-fi networks. Securing your internet connection provides an added layer of protection when sharing sensitive information over the web, restricting ransomware attacks from gaining entry through compromised passwords.
Only use HTTPS sites. HTTP sites run on unsecured connections, which means hackers can eavesdrop on all incoming and outgoing traffic. For example, if you enter your password on an unsecured site, a cybercriminal can easily steal your login credentials and hold your account for ransom. You should only browse HTTPS sites, which require SSL certification, enabling encrypted connections and greater data security.
Use a Virtual Private Network (VPN). A VPN adds an extra layer of protection for internet users by encrypting all sent and received data. VPNs also conceal users’ IP addresses and other personal data, further anonymizing all incoming and outgoing traffic.
6. Use Additional Authentication
Many online account services now offer two-factor authentication (2FA) and multi-factor authentication (MFA). They provide extra security by requiring two or more types of authentication before allowing access to user data.
Learn how to set up 2FA on Mac OS and iOS devices.
7. Learn the Warning Signs
Gaining awareness of common tactics used to inject ransomware is the first line of defense against a cyberattack. You can learn about popular attack vectors, like email phishing scams and malware-infected pop-ups, through online tutorials.
