Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Anyone here got hit with ransomware?
- Thread starter techsalbog
- Start date
-
- Tags
- #malware #ransomware #virus
- Sort by reaction score
I've only heard of one instance of ransomware on the Mac.
That was a hacked version of an app named "Transmission" (torrent downloader) a few years back.
It was quickly detected and dealt with.
Do YOU know of any recent ransomware attacks?
If so, please tell us...
That was a hacked version of an app named "Transmission" (torrent downloader) a few years back.
It was quickly detected and dealt with.
Do YOU know of any recent ransomware attacks?
If so, please tell us...
Evolution on ransomware on macOS
2014 FileCoder - Unfinished ransomware for MacOS X https://securelist.com/unfinished-ransomware-for-macos-x/66760/
2016 KeRanger https://unit42.paloaltonetworks.com...ted-transmission-bittorrent-client-installer/
2017 MacRansom https://www.fortinet.com/blog/threat-research/macransom-offered-as-ransomware-as-a-service
2020 EvilQuest https://threatpost.com/evilquest-mac-ransomware-keylogger-crypto-wallet-stealing/157034/
No notable macOS ransomware in 2021 & 2022
The Mac Malware of 2021 https://objective-see.org/blog/blog_0x6B.html
The Mac Malware of 2022 https://objective-see.org/blog/blog_0x71.html
2014 FileCoder - Unfinished ransomware for MacOS X https://securelist.com/unfinished-ransomware-for-macos-x/66760/
2016 KeRanger https://unit42.paloaltonetworks.com...ted-transmission-bittorrent-client-installer/
2017 MacRansom https://www.fortinet.com/blog/threat-research/macransom-offered-as-ransomware-as-a-service
2020 EvilQuest https://threatpost.com/evilquest-mac-ransomware-keylogger-crypto-wallet-stealing/157034/
No notable macOS ransomware in 2021 & 2022
The Mac Malware of 2021 https://objective-see.org/blog/blog_0x6B.html
The Mac Malware of 2022 https://objective-see.org/blog/blog_0x71.html
No, but even if I was, I have Time Machine backups that are never older than 1 week.
No but I can tell you how not to get hit by it. Avoid downloading pirated software. That's the fastest and easiest way people get ransomware and malware on the Mac.
Also have your files backed up on a non connected external drive. Don't connect that drive to an infected computer. That will protect you from ransomware, but it won't protect you from keyloggers that will capture your passwords and accounts.
I've gotten spam/phishing emails that claim to have infected my machine with ransomware in an attempt to shake me down for some Bitcoin or whatever, but I know it's just a scam. That's what happens when your email is out on the internet. I just ignore.
I was hit many years ago when I solicited resumes while hiring. I wiped and used my backup so probably lost about a half a day or so of work.
16 April 2023
BleepingComputer - "LockBit ransomware encryptors found targeting Mac devices"
https://www.bleepingcomputer.com/ne...mware-encryptors-found-targeting-mac-devices/
"The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to ever specifically target macOS."
BleepingComputer - "LockBit ransomware encryptors found targeting Mac devices"
https://www.bleepingcomputer.com/ne...mware-encryptors-found-targeting-mac-devices/
"The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to ever specifically target macOS."
Nope.
Two Pi-holes and a couple of different firewall (appliance) platforms at home have kept things well below a dull roar for quite some time.
Two Pi-holes and a couple of different firewall (appliance) platforms at home have kept things well below a dull roar for quite some time.
Don't think you are safe because you have (Time Machine) backups.
If you are hit by ransomware encrypting your data and your backup disks or NAS are connected to your computer (or LAN) that data will most certainly be affected as well. Also data in your cloud will likely be affected.
Last edited:
Objective-See's Blog: "The LockBit ransomware (kinda) comes for macOS
Analyzing an arm64 mach-O version of LockBit"
https://objective-see.org/blog/blog_0x75.html
"And while this may be the first time a large ransomware group created ransomware capable of running on macOS, it worth nothing that this sample is far from ready for prime time. From it’s lack of a valid code-signing signature to its ignorance of TCC and other macOS file-system protections as it stands it poses no threat to macOS users."
BleepingComputer Update 4/16/23: <In response to questions from BleepingComputer, the public-facing representative of LockBit, known as LockBitSupp, said that the Mac encryptor is "actively being developed.">
Analyzing an arm64 mach-O version of LockBit"
https://objective-see.org/blog/blog_0x75.html
"And while this may be the first time a large ransomware group created ransomware capable of running on macOS, it worth nothing that this sample is far from ready for prime time. From it’s lack of a valid code-signing signature to its ignorance of TCC and other macOS file-system protections as it stands it poses no threat to macOS users."
BleepingComputer Update 4/16/23: <In response to questions from BleepingComputer, the public-facing representative of LockBit, known as LockBitSupp, said that the Mac encryptor is "actively being developed.">
Malicious encryptors for Apple computers could herald new risks for macOS users.
Apple’s Macs have long escaped ransomware, but that may be changing
Malicious encryptors for Apple computers could herald new risks for macOS users.
arstechnica.com
Objective-See's Blog: "It's Turtles All The Way Down 🐢 Analyzing the newly discovered "Turtle" ransomware"
https://objective-see.org/blog/blog_0x76.html
"Today we dove into a new ransomware sample, internally dubbed “Turtle”. And while in its current state it does not post much of a threat to macOS users, it yet again, shows that ransomware authors continue to set their sites on macOS."
https://objective-see.org/blog/blog_0x76.html
"Today we dove into a new ransomware sample, internally dubbed “Turtle”. And while in its current state it does not post much of a threat to macOS users, it yet again, shows that ransomware authors continue to set their sites on macOS."
"According to SentinelOne, NotLockBit appears to be the first functional ransomware family targeting macOS systems, as previously observed attempts were mere proof-of-concept (PoC) samples."
https://www.securityweek.com/notlockbit-ransomware-can-target-macos-devices/
"SentinelOne - macOS NotLockBit | Evolving Ransomware Samples Suggest a Threat Actor Sharpening Its Tools"
https://www.sentinelone.com/blog/ma...-suggest-a-threat-actor-sharpening-its-tools/
"Trend Micro - Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data"
https://www.trendmicro.com/en_us/re...-ransomware-samples-abuse-aws-s3-to-stea.html
https://www.securityweek.com/notlockbit-ransomware-can-target-macos-devices/
"SentinelOne - macOS NotLockBit | Evolving Ransomware Samples Suggest a Threat Actor Sharpening Its Tools"
https://www.sentinelone.com/blog/ma...-suggest-a-threat-actor-sharpening-its-tools/
"Trend Micro - Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data"
https://www.trendmicro.com/en_us/re...-ransomware-samples-abuse-aws-s3-to-stea.html
Having RansomWhere + BlockBlock from objective-see doesn't really hurt. Latter is really useful for informational purposes if installers end up placing launchagents/daemons anywhere. Former is kind of neat in theory, I guess in practice it's mostly a way to know if something is writing out opaque encrypted binary blobs anywhere.
Official pages for
RansomWhere? "By continually monitoring the file-system for the creation of encrypted files by suspicious processes, RansomWhere? aims to protect your personal files, generically stopping ransomware in its tracks"
https://objective-see.org/products/ransomwhere.html
BlockBlock
"Malware installs itself persistently to ensure it's automatically (re)executed.
BlockBlock monitors common persistence locations and alerts whenever a persistent component is added."
https://objective-see.org/products/blockblock.html
RansomWhere? "By continually monitoring the file-system for the creation of encrypted files by suspicious processes, RansomWhere? aims to protect your personal files, generically stopping ransomware in its tracks"
https://objective-see.org/products/ransomwhere.html
BlockBlock
"Malware installs itself persistently to ensure it's automatically (re)executed.
BlockBlock monitors common persistence locations and alerts whenever a persistent component is added."
https://objective-see.org/products/blockblock.html
This will only help you if you have multiple TM disks used in rotation (and unplugged when not in use).
Anything attached to the Mac, or accessible from the Mac (such as cloud services), would quickly be encrypted by ransomware.
This is why Onedrive is so much superior to iCloud.
First, it has file history. Even if you upload multiple ransomware-encrypted versions of your files to Onedrive before you realize it, you can go back until you find an unencrypted version. I believe by default the file versions limit is set to 500.
Second, it will send you an alert email if it detects ransomware-like activity in your account, such as deleting a large number of files and replacing them with encrypted files. I get alerts every time I add a bunch of files to Cryptomator because it behaves in the same way. (It will also alert you if you delete a large number of files without any encryption).
By comparison, iCloud doesn't have any such protections - at least none that I know of. If you override a file even once it's gone.
First, it has file history. Even if you upload multiple ransomware-encrypted versions of your files to Onedrive before you realize it, you can go back until you find an unencrypted version. I believe by default the file versions limit is set to 500.
Second, it will send you an alert email if it detects ransomware-like activity in your account, such as deleting a large number of files and replacing them with encrypted files. I get alerts every time I add a bunch of files to Cryptomator because it behaves in the same way. (It will also alert you if you delete a large number of files without any encryption).
By comparison, iCloud doesn't have any such protections - at least none that I know of. If you override a file even once it's gone.