Written by Clayton Weeks
Published on February 1, 2021

What is Mac ransomware?

Ransomware is a type of malicious software that blocks access to your computer or specific files until you’ve paid money to unblock them. Mac ransomware is simply ransomware that targets Apple desktops and laptops. (Yes, even Macs need to be protected from malware). Although it’s currently not as prevalent as the variants attacking Windows computers, Mac ransomware is still every bit as horrible.

This article contains :

    Ransomware statistics: 15 trillion hotdogs per year

    Ransomware is predicted to cost the world $6 trillion in damages annually by 2021. That’s a lot of money — and hotdogs. At about $4 per 10-pack of franks, $6 trillion will net you 15 trillion hotdogs. Laid end to end, those 6-inch dogs would stretch 1.4 million miles — or to the moon and back nearly 6 times.

    Ransomware is set to cause $6 trillion in damages by 2021

    The vast majority of ransomware victims have been Windows users. (Read more about PC ransomware here.) But that’s changing. Android ransomware and Mac ransomware unfortunately exist, too. In fact, Mac ransomware and other ransom-based attacks on Mac users are expected to grow.

    And anyone running Windows on a Mac (via Boot Camp, Parallels, etc.) is just as vulnerable to PC-based malware and ransomware as someone running Windows on a PC. So if you’re using Windows on your Mac, be sure to keep it updated. (And remember, Microsoft no longer officially supports Windows XP or Windows Vista, and Windows 7 security updates end in January 2020. So if you’re still using any of those versions, you should upgrade.)

    A history of ransom-based attacks on Macs

    At the rate technology advances, you’d expect to find a ton of Mac ransomware variants out there. Thankfully, that’s not the case. In fact, there have been only a couple of real-world ransomware attacks: Patcher and KeRanger. A few other ransom-based attacks happened, too, but they didn’t employ ransomware per se. But for the sake of completeness, I’ll drop those in below, too.

    FBI Ransom (discovered 2013)

    This browser-based attack wasn’t technically ransomware, because no malware was actually installed on anyone’s Mac. But it did involve a ransom.

    Inspired by similar Windows attacks, some clever knuckleheads used a bit of social engineering and JavaScript to hijack Mac browsers. Basically, malicious links would redirect people to the following page:

    Screenshot of the FBI Ransomware webpage.

    Oh, no! The fake FBI demands real money.

    The real fun began when you tried to close the page. Because you couldn’t. Any attempts to do so would trigger this annoying popup:

    Screenshot of the FBI Ransomware popup message which warns that the victim's browser is locked.

    You shall not pass!

    Shutting down Safari would have no effect, because when restarted, Safari would always reopen all previous tabs — including the one with the nasty ransom popup. There seemed to be no escape...

    To solve the problem, you either had to reset Safari (and lose all of your settings), or force quit Safari from the Apple menu and then restart it while holding down the Shift key, which opened Safari without loading any of the previously open tabs. Because no malicious software was installed, once the malicious page was closed, the Mac was fine.

    FileCoder (discovered March 2014)

    Researchers found this example of Mac ransomware way back in March 2014. But the code was incomplete. For whatever reason, the author never finished it. In fact, it had already been lying around for two years by the time the researchers found it — meaning it was created as far back as 2012. Yup, Mac ransomware dates back to at least 2012. (By comparison, the first ransomware attack on Windows was the AIDS Trojan of 1989.)

    Oleg Pliss (discovered May 2014)

    No real ransomware was used in this attack. Instead, a hacker used leaked passwords to lock iCloud users out of their own accounts — and devices. Once inside victims’ accounts, the hacker used Apple’s Find My Mac/iPhone feature to remotely lock people’s iPhones, iPads, and Macs and then demand money to unlock them. The hacker also had the ability to remotely wipe the devices.

    “Bye bye, apps! Bye bye, photographs! Hello, loneliness. I think I’m gonna cry.”

    Screenshot of the Oleg Pliss ransom demand message on an iPhone lock screen.

    “Me talk pretty. You give money.”

    Thankfully, preventing iCloud hacks like this is as easy as setting up two-factor authentication. Once you’ve done that, hackers won’t be able to access your account — even if they have your password. Game over, Oleg.

    KeRanger (discovered March 2016)

    KeRanger pwned more than 7,000 Mac users via an infected version (2.90) of Transmission, a popular BitTorrent client for Mac users. This malicious version was available for download on the Transmission website between March 4 and 5, 2016, and according to the Transmission project, unsuspecting people downloaded it about 6,500 times. Because it was signed with a legitimate developer certificate, Mac users could install it without triggering macOS’s built-in security. And here’s what they got:

     Screenshot of the KeRanger ransom instructions for decrypting files.

    Oh, look. You get one decryption FREE!

    Apple soon revoked the certificate, and the malicious version was pulled from the Transmission website.

    Patcher (discovered February 2017)

    Downloaded via BitTorrent, Patcher (also known as FindZip) was a type of ransomware disguised as a patcher for popular apps like Microsoft Office and Adobe Premiere Pro. Real patchers are software designed to provide “patches” (i.e., app updates or fixes). But this Patcher was just a mean booger that permanently encrypted your files.

    When run, Patcher would start encrypting files in the /Users directories and files in mounted or external drives using /Volumes directories. A ransom note named “README.txt” or “DECRYPT!.txt” would be added to the desktop asking for 0.25 Bitcoin (about $300).

    The sad thing about Patcher was that it was badly coded and couldn’t communicate with its control servers. The hackers’ goof up left them with no way to send anyone the decryption key. In other words: Even if you paid the ransom, you’d never get your files back. So yeah… Any Mac user hit by Patcher was unfortunately S.O.L.

    The good news was that removing Patcher was as easy as deleting the fake Adobe Premiere and Microsoft Office patcher apps. There were no other files to delete, so removal was a breeze.

    How do I prevent ransomware attacks on my Mac?

    They may not be hotdogs, and they may not look like Kevin Spacey, but there are bound to be Spacey Dogs on your Mac in need of protecting: irreplaceable family photos, embarrassing pop music, important tax documents… So unless you’ve got piles of cash lying around that you’re just itching to give to hackers, you’d do well to follow these simple tips to avoid ransomware in the first place. Because, as they say, an ounce of prevention is worth a pound of cure.

    • Keep your Mac computer up-to-date:
      Outdated software is like rotted wood: weak and pitted with holes that let the nasties in. Updates can plug these holes and make it harder for malware to find a way in. So be sure to update both your operating system and your apps often.

    • Be careful what you install or click:
      You should know this by now. If you get an email from someone you don’t know — or a suspicious email from someone you do — don’t open any attachments or click any links. That’s how you get infected.

    • Install apps only from official sites or the Mac App Store:
      Installing software from untrusted sources is risky, because you can’t be sure what you’ll get. Torrented software could be bundled with ransomware, for example. It’s safer to stick to official websites or the App Store.

    • Make frequent backups:
      Back up to an external disk and disconnect it from your Mac when finished. If your Mac gets hit with ransomware, it won’t be able to encrypt those unattached backups. Once you’ve safely removed the ransomware, run a full Mac scan to make sure nothing sketchy is still lurking about, and then reconnect your backup drive to recover your files.

    • Use an antivirus:
      Our free AVG AntiVirus for Mac helps keep ransomware — and other malware — off your Mac in the first place.

    How do I remove Mac ransomware?

    If you’ve been infected by ransomware, don’t panic. And whatever you do, don’t pay the ransom. There’s no guarantee that paying will get your files back, and it only empowers hackers to continue their attacks.

    To remove the ransomware, make sure you’re running the latest version of AVG AntiVirus for Mac, and run a Deep Scan. (Click the gear icon next to the “Scan Mac” button, then select “Deep Scan” from the scan options.) If the ransomware is known variant, the antivirus should remove it.

    And what about your encrypted files? If you’re a PC user, you may be in luck. Check out our free ransomware decryption tools for Windows. If you’re a Mac user, though, there’s little you can do except restore them from a backup. (Which is why you should always, always back up your computer and disconnect the backup drive when done.) Just be sure to remove the ransomware before restoring your files, or you’ll likely infect your backup drive, too.

    And again… Don’t pay the ransom!


    Protect your Android against threats with AVG AntiVirus

    Free install

    Protect your iPhone against threats with AVG Mobile Security

    Free install
    Clayton Weeks