But… When I go to open my Spacey Dog pics, I don’t get Spacey Dog pics. I get this:
All your photo are belong to us.
Bye bye, riches. Mac ransomware has just eaten my Kevin Spacey hotdog.
What is Mac ransomware?
Ransomware is a type of malicious software that blocks access to your computer or specific files until you’ve paid money to unblock them. Mac ransomware is simply ransomware that targets Apple desktops and laptops. (Yes, even Macs need to be protected from malware). Although it’s currently not as prevalent as the variants attacking Windows computers, Mac ransomware is still every bit as horrible.
Ransomware statistics: 15 trillion hotdogs per year
Ransomware is predicted to cost the world $6 trillion in damages annually by 2021. That’s a lot of money — and hotdogs. At about $4 per 10-pack of franks, $6 trillion will net you 15 trillion hotdogs. Laid end to end, those 6-inch dogs would stretch 1.4 million miles — or to the moon and back nearly 6 times.
Ransomware is set to cause $6 trillion in damages by 2021
The vast majority of ransomware victims have been Windows users. (Read more about PC ransomware here.) But that’s changing. Android ransomware and Mac ransomware unfortunately exist, too. In fact, Mac ransomware and other ransom-based attacks on Mac users are expected to grow.
And anyone running Windows on a Mac (via Boot Camp, Parallels, etc.) is just as vulnerable to PC-based malware and ransomware as someone running Windows on a PC. So if you’re using Windows on your Mac, be sure to keep it updated. (And remember, Microsoft no longer officially supports Windows XP or Windows Vista, and Windows 7 security updates end in January 2020. So if you’re still using any of those versions, you should upgrade.)
A history of ransom-based attacks on Macs
At the rate technology advances, you’d expect to find a ton of Mac ransomware variants out there. Thankfully, that’s not the case. In fact, there have been only a couple of real-world ransomware attacks: Patcher and KeRanger. A few other ransom-based attacks happened, too, but they didn’t employ ransomware per se. But for the sake of completeness, I’ll drop those in below, too.
FBI Ransom (discovered 2013)
This browser-based attack wasn’t technically ransomware, because no malware was actually installed on anyone’s Mac. But it did involve a ransom.
Oh, no! The fake FBI demands real money.
The real fun began when you tried to close the page. Because you couldn’t. Any attempts to do so would trigger this annoying popup:
You shall not pass!
Shutting down Safari would have no effect, because when restarted, Safari would always reopen all previous tabs — including the one with the nasty ransom popup. There seemed to be no escape...
To solve the problem, you either had to reset Safari (and lose all of your settings), or force quit Safari from the Apple menu and then restart it while holding down the Shift key, which opened Safari without loading any of the previously open tabs. Because no malicious software was installed, once the malicious page was closed, the Mac was fine.
FileCoder (discovered March 2014)
Researchers found this example of Mac ransomware way back in March 2014. But the code was incomplete. For whatever reason, the author never finished it. In fact, it had already been lying around for two years by the time the researchers found it — meaning it was created as far back as 2012. Yup, Mac ransomware dates back to at least 2012. (By comparison, the first ransomware attack on Windows was the AIDS Trojan of 1989.)
Oleg Pliss (discovered May 2014)
No real ransomware was used in this attack. Instead, a hacker used leaked passwords to lock iCloud users out of their own accounts — and devices. Once inside victims’ accounts, the hacker used Apple’s Find My Mac/iPhone feature to remotely lock people’s iPhones, iPads, and Macs and then demand money to unlock them. The hacker also had the ability to remotely wipe the devices.
“Bye bye, apps! Bye bye, photographs! Hello, loneliness. I think I’m gonna cry.”
“Me talk pretty. You give money.”
Thankfully, preventing iCloud hacks like this is as easy as setting up two-factor authentication. Once you’ve done that, hackers won’t be able to access your account — even if they have your password. Game over, Oleg.
KeRanger (discovered March 2016)
KeRanger pwned more than 7,000 Mac users via an infected version (2.90) of Transmission, a popular BitTorrent client for Mac users. This malicious version was available for download on the Transmission website between March 4 and 5, 2016, and according to the Transmission project, unsuspecting people downloaded it about 6,500 times. Because it was signed with a legitimate developer certificate, Mac users could install it without triggering macOS’s built-in security. And here’s what they got:
Oh, look. You get one decryption FREE!
Apple soon revoked the certificate, and the malicious version was pulled from the Transmission website.
Patcher (discovered February 2017)
Downloaded via BitTorrent, Patcher (also known as FindZip) was a type of ransomware disguised as a patcher for popular apps like Microsoft Office and Adobe Premiere Pro. Real patchers are software designed to provide “patches” (i.e., app updates or fixes). But this Patcher was just a mean booger that permanently encrypted your files.
When run, Patcher would start encrypting files in the /Users directories and files in mounted or external drives using /Volumes directories. A ransom note named “README.txt” or “DECRYPT!.txt” would be added to the desktop asking for 0.25 Bitcoin (about $300).
The sad thing about Patcher was that it was badly coded and couldn’t communicate with its control servers. The hackers’ goof up left them with no way to send anyone the decryption key. In other words: Even if you paid the ransom, you’d never get your files back. So yeah… Any Mac user hit by Patcher was unfortunately S.O.L.
The good news was that removing Patcher was as easy as deleting the fake Adobe Premiere and Microsoft Office patcher apps. There were no other files to delete, so removal was a breeze.
How do I prevent ransomware attacks on my Mac?
They may not be hotdogs, and they may not look like Kevin Spacey, but there are bound to be Spacey Dogs on your Mac in need of protecting: irreplaceable family photos, embarrassing pop music, important tax documents… So unless you’ve got piles of cash lying around that you’re just itching to give to hackers, you’d do well to follow these simple tips to avoid ransomware in the first place. Because, as they say, an ounce of prevention is worth a pound of cure.
Install apps only from official sites or the Mac App Store:
Installing software from untrusted sources is risky, because you can’t be sure what you’ll get. Torrented software could be bundled with ransomware, for example. It’s safer to stick to official websites or the App Store.
Make frequent backups:
Back up to an external disk and disconnect it from your Mac when finished. If your Mac gets hit with ransomware, it won’t be able to encrypt those unattached backups. Once you’ve safely removed the ransomware, run a full Mac scan to make sure nothing sketchy is still lurking about, and then reconnect your backup drive to recover your files.
How do I remove Mac ransomware?
If you’ve been infected by ransomware, don’t panic. And whatever you do, don’t pay the ransom. There’s no guarantee that paying will get your files back, and it only empowers hackers to continue their attacks.
To remove the ransomware, make sure you’re running the latest version of AVG AntiVirus for Mac, and run a Deep Scan. (Click the gear icon next to the “Scan Mac” button, then select “Deep Scan” from the scan options.) If the ransomware is known variant, the antivirus should remove it.
And what about your encrypted files? If you’re a PC user, you may be in luck. Check out our free ransomware decryption tools for Windows. If you’re a Mac user, though, there’s little you can do except restore them from a backup. (Which is why you should always, always back up your computer and disconnect the backup drive when done.) Just be sure to remove the ransomware before restoring your files, or you’ll likely infect your backup drive, too.
And again… Don’t pay the ransom!