How to remove Mac ransomware
With the outbreak of WannaCry crippling the world’s computers in May 2017 and the Petya randsomware attack at the end of June 2017, Mac users might be wondering what they can do to protect themselves from ransomware, and how to fix things if they get hit. Here’s everything you need to know about detecting, avoiding and removing ransomware on Macs.
This is one of several in-depth Macworld articles dealing with Mac security. If you’re looking for AV buying advice, read our roundup of the Best Mac antivirus and Do Macs get viruses?; general advice can be found in our Mac security tips; and those who have been hit by a virus should try How to remove Mac viruses.
What is ransomware?
Ransomware is a type of malware attack where your personal files are encrypted against your wishes, before a ‘ransom demand’ tells you to pay a fee if you want to get the files decrypted again.
Although at the time of writing there hasn’t been a serious ransomware outbreak on the Mac (or any Apple hardware), security researchers reckon it’s a real possibility. For example, security researchers have found Mac-specific lines of code within Windows ransomware, which indicates that the bad guys are at least considering the possibility.
Speaking on CNBC’s ‘Squawk Box’ programme in the wake of the famous WannaCry ransomware attack, Aleksandr Yampolskiy, CEO of SecurityScorecard, insisted that Apple users are vulnerable to WannaCry-type attacks, even if that specific event affected Windows systems only.
“It happens that this attack is targeting the Windows computers,” he said. “But Apple is absolutely vulnerable to similar types of attacks.”
Help! My Mac been infected by ransomware!
Very well: let’s hypothetically assume you’ve been infected. What should you do?
Take your time and avoid kneejerk reactions.
Use a malware scanner like the free Bitdefender Virus Scanner to search for the ransomware and remove it.
It’s unlikely you’ll be the only person affected by the ransomware so keep an eye on sites like Macworld to learn more about the nature of the ransomware infection. You’ll very likely find specific instructions on how to clean up the infection, if a virus scanner isn’t able to do so.
You might find that a security researcher has found a way to decrypt your files for free, something that happened with the most recent example from the handful of ransomware infections that have been identified on a Mac.
As you’ll see later when we examine the handful of existing ransomware outbreaks affecting the Mac, there’s a good chance paying up won’t actually recover your files!
Unplug and disconnect storage
The one example of effective ransomware seen on a Mac so far – KeRanger – also attempted to encrypt Time Machine backups, to try to make it impossible for the user to simply restore files from a backup.
Therefore, upon discovering your Mac has been infected by ransomware you should minimise the possibility of backups becoming encrypted too by immediately unplugging any removable storage like external hard disks, and disconnecting from any network shares by clicking the eject icon alongside their entries in the sidebar of Finder.
Are Macs affected by WannaCry?
Put simply, no. WannaCry takes advantage of a bug in Microsoft Windows’ network file sharing system, a technology called SMB. Once WannaCry gets onto a single computer on the network – usually because an individual opened a rogue email attachment – it then uses a bug in SMB to inject itself into all other computers on the network that haven’t been patched.
Macs also use SMB as the default network file sharing technology, so you might initially think Macs could be affected too. However, Apple uses its own bespoke implementation of SMB. While this is fully compatible with Microsoft’s version, it doesn’t suffer from the same bugs or security holes, so isn’t affected by WannaCry – or at least not in WannaCry’s current manifestation.
The iPhone, iPad, Apple TV and even the Apple Watch don’t use SMB file sharing, so aren’t even theoretically at risk from WannaCry.
Content continues below
What is Petya and are Macs affected?
Petya is another Ransomware attack, similar to WannaCry, that struck computers in Europe and the US at the end of June 2017.
Petya hit some large firms, and like the earlier WannaCry ransomware attack that affected the NHS in the UK, it spread rapidly to Windows computers on the same network.
Computers are infected due to a vulnerability in Windows for which Microsoft has released a patch.
Most of the antivirus companies have updated their software to protect against Petya.
The Petya ransomware demands that $300 in Bitcoins be paid as the ransom in order to regain access to the computer. However, the perpetrators are thought to be amateurs as the ransom note gives the same Bitcoin address for every victim and only one email address is provided for correspondence – which has of course already been shut down.
The attack may have been targeted at the Ukrainian government rather than as a means to make money.
How do I protect my Mac against ransomware?
There are several things you can do to protect your Mac against ransomware:
Consider installing the RansomWhere? app. This free app runs in the background and watches for any activity that resembles the rampant encrypting of files, such as that which takes place during a ransomware attack. It then halts the process and tells you what’s happening. Okay, so some of your files may end up being encrypted, but hopefully not very many.
Basic phishing protection
As with many examples of ransomware and malware, WannaCry initially infects computer networks via a phishing attack. Never open an email attachment you weren’t expecting, even if it appears to come from somebody you know, and no matter how important, interesting or scurrilous it appears to be.
Don’t use dodgy software
The most recent Mac ransomware attempts to spread via “cracked” or patcher apps designed to let you use commercial software for free. Therefore, avoid all dodgy software like this.
Always ensure your system and apps are updated
On a Mac you can configure automatic updates by opening the System Preferences app, which you’ll find in the Applications list of Finder, and selecting the App Store icon. Then put a tick alongside Automatically Check for Updates, and putting a tick in all the boxes directly beneath this heading.
Install only from official websites
If you suddenly see a pop-up saying one of your browser plugins is out of date, for example, then be sure only to update from the official webpage for that plugin – such as Adobe’s website if it’s the Flash plugin. Never trust the link provided in a pop-up window! Hackers make frequent use of such pop-ups and fake websites to spread ransomware and other malware.
Back up frequently
If you have a backup of your files then it matters less if ransomware strikes because you can simply restore. However, the KeRanger ransomware outbreak attempted to also encrypt Time Machine backups, so you might choose to use a third-party app like Carbon Copy Cloner instead to backup your files. Read more: How to back up a Mac
How do I protect my iPhone or iPad against ransomware?
iOS devices like iPhones and iPads were built from the ground-up to be much more secure than Macs, and true ransomware via some kind of malware infection would be extremely difficult to pull-off. There certainly haven’t been any examples so far, or at least on iOS devices that haven’t been jailbroken.
However, iPhones, iPads and even Macs are subject to iCloud hijacking, a type of ransom attack whereby a hacker reuses passwords discovered through one of the many large-scale security breaches in order to log into and take control of a user’s iCloud account. They then change the password and use the Find my iPhone service to remotely lock the iOS device or Mac, sending the user demands for ransom money in order to restore control.
Often they threaten to remote wipe the device or Mac in addition to this. The first such attack of this nature was the Oleg Pliss attack back in 2014.
iCloud hijacking is easily thwarted by setting up two-factor authentication, and you should do so now!
However, regardless of whether an actual ransomware infection is possible, it certainly makes sense to ensure you keep your iPhone or iPad fully updated (read How to update iOS on iPhone or iPad) so as to have the best possible protection against any potential threat. When a new iOS update becomes available a notification will appear alongside the Settings app, and you’ll be able to update by opening Settings then tapping General > Software Update. (Note that there’s no way to configure automatic system updates on iOS.)
Any app claiming to provide antivirus scanning for iOS devices is likely to be dubious at best because all iOS apps are sandboxed, so are unable to scan the system or other apps for malware.
Have Macs ever been affected by ransomware?
With the exception of the FBI web page scam described below, which is more of an annoyance than a serious threat, the handful of Mac ransomware examples identified by security researchers to date have not led to serious outbreaks and few if any Macs have been affected. However, the list makes interesting reading to learn how a future ransomware outbreak might spread and how it might operate.
FBI scam (July 2013)
For over a decade, website-based ransomware has attempted to extort money from gullible Windows users by “locking” the web browser to a purported law enforcement website. This was always mere smoke and mirrors, however, and could be overcome easily.
But in July 2013 security researchers discovered a similar scam specifically targeting the Mac’s Safari browser. The user was locked to a fake “FBI” webpage via a dialog box that wouldn’t let them leave the site, and a $300 “fine” was demanded to unlock the system.
Quitting the browser was made impossible. If the user force-quit Safari, the ransomware page simply reloaded itself next time Safari started.
Apple has since fixed Safari on both Mac and iPhone/iPad so that it’s less easy for browser-based ransomware like this to operate. However, you might still encounter less virulent examples.
How to clean up FBI scam and its variations
Force-quit Safari by right-clicking its Dock icon, holding down Alt (Option on some keyboards) and selecting the force quit menu option. Then start Safari while holding down the Shift key. This will stop Safari loading the last page it had open, which escapes the annoying reboot loop of the ransomware.
FileCoder (June 2014)
Security researchers found and identified FileCoder via the Virus Total virus-scanning website, although by that point FileCoder was already old, having been first detected by the site’s malware scanner two years earlier.
Specifically targeting OS X/macOS, FileCoder is unfinished and not a threat, in that it doesn’t actually encrypt the user’s data. It does display an app window demanding a ransom of €30 (rather cheekily, this is discounted to €20 if a credit card is used instead of PayPal or Western Union).
It’s not known where FileCoder originated, or how it was intended to spread.
How to clean up FileCoder
Because FileCoder has only been spotted a single time in the wild, we have hardly any information about how it operates and therefore how to clean it up. However, because of this it should not be considered an active threat.
Gopher (September 2015) and Mabouia (November 2015)
Two security researchers, working independently, separately create Gopher and Mabouia, two examples of ransomware specifically targeted at Macs. However, both are only proof-of-concept demonstrations, intended to show that fully fledged ransomware on the Mac is entirely possible.
Aside from copies shared with security researchers for them to learn from, neither ever leaves the researchers’ computers, so cannot spread.
How to clean up Gopher or Mabouia
Because both are merely proofs of concept, and have never been actually deployed in the wild, it’s impossible to say how any ransomware infections created Gopher or Mabouia could be cleared up.
KeRanger (March 2016)
Security researchers find and identify KeRanger ransomware within an authorised update for the Transmission BitTorrent client. The first real example of Mac ransomware, this time the ransomware creators have clearly made an effort to create a genuine threat.
KeRanger is signed with an authorised security certificate, so isn’t blocked by the macOS Gatekeeper security system, for example. KeRanger encrypts files and then leaves a README_FOR_DECRYPT.txt file in the directory, in which the ransom demand is made (one BitCoin; around £1,338.62 at the time of writing in May 2017).
However, thanks to fast action by the researchers and also Apple, who immediately revoke the security certificate, KeRanger is halted before it becomes a serious threat. If both agencies hadn’t been quite so quick off the mark, however, it could’ve been a very different story.
How to clean up KeRanger
Our understanding is that you will not be able to decrypt the files. However, if you’re worried that KeRanger ransomware may have infected your Mac, here is how the security researchers who identified it – Palo Alto – suggest you clean it up:
- Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected, and we suggest deleting this version of Transmission.
- Using ‘Activity Monitor’ preinstalled in OS X, check whether any process named ‘kernel_service’ is running. If so, double-check the process, choose Open Files and Ports and check whether there is a file name like “/Users//Library/kernel_service”. If so, the process is KeRanger’s main process. We suggest terminating it with Quit > Force Quit.
- After these steps, we also recommend users check whether the files .kernel_pid, .kernel_time, .kernel_complete or kernel_service exist in ~/Library directory. If so, you should delete them.
Filezip (February 2017)
Security researchers find and identify Filezip ransomware masquerading as “patcher” apps that can be downloaded from piracy sites. Patcher apps are designed to illegally modify popular commercial software like Adobe Photoshop or Microsoft Office so they can be used without purchase and/or a license code.
When the user attempts to use the patcher app, Filezip instead encrypts the user’s files and then places a “README!.txt”, “DECRYPT.txt” or “HOW_TO_DECRYPT.txt” file in each folder listing the ransom demands (0.25 BitCoin; around £335 at the time of writing in May 2017). Notably, like many Windows-based examples of ransomware, Filezip is unable to actually decrypt any files, so paying the ransom is pointless.
How to clean up Filezip
Simply delete the patcher file from your hard disk. Security firm Malwarebytes has since discovered how to decrypt any affected files affected by Filezip for free, although the process is a bit complicated.
Should I run an antimalware app all the time?
It might surprise you but Macs already have antimalware built in, courtesy of Apple.
XProtect runs invisibly in the background and scans any files you download as part of the standard file quarantining process. XProtect is updated regularly by Apple with new malware definitions and you can see the frequency of updates by following these steps:
- Open the System Information app by clicking Apple > About This Mac, then clicking the System Report button.
- Select the Software heading in the list at the left, and then the Installations heading beneath this.
- Click the Install Date column heading to sort the list by most recent and look for entries that read XProtectPlistConfigData.
XProtect was how Apple was able to defeat KeRanger, perhaps the most serious Mac-based ransomware threat so far, before it had a chance to become endemic. Additionally, the most recent Mac ransomware, Filezip, has been added to XProtect too.
Combined with other built-in safeguards such as file quarantining and Gatekeeper – both of which stop the user blithely running apps or opening docs they download from strange websites – the Mac is better guarded against ransomware than you might think.
However, there’s certainly no harm in occasionally running an on-demand virus scanner such as Bitdefender Virus Scanner, even if this may well find many false positives in the form of Windows viruses in things like mail attachments. Windows viruses are harmless for Mac users. Read about the best Mac antivirus software here.