Mac Ransomware Exists And It Is Very Much Real


Encrypted Mac Ransomware

For as long as Mac computers have been available, the proud users of Apple products have always thought that they were safe from viruses and other online security threats. Being virus safe was one of the big reasons to consider using a Mac system in the first place. In some cases, users viewed that as justification for the price difference between Apple and PC or Android products. However, things change and up until recently, Ransomware was not an issue. Well, it is now a very real threat to Mac users.

Although it is not as popular as it is within the Windows-based community…and there are not quite as many Ransomware variants that can infect Mac machines, they are out there. This means that if Mac Ransomware is already available, expect the threat to grow.

By the way, it was in 2014 when the first Ransomware code was discovered that was being developed for Mac OSX. However, that code was never completed and it was subsequently abandoned. Some claim that the code had been accidentally leaked, and apparently that was why it was abandoned. Who knows?

Patcher and KeRanger

The two known variants are Patcher and KeRanger. Both of these Ransomware variants work in a similar way by encrypting the files on a computer and then later demanding a ransom be paid in order to have those files decrypted. Both of these (Patcher and KeRanger) were created sometime in 2016 or 2017. Some claim that they are the work of the same developers but that’s unverified. KeRanger has infected about 7,000 users by tricking people into downloading an infected BitTorrent client.

Personal Files Encrypted

Once installed, it encrypts files and demands a ransom. The tricky part about the download is that the application actually snuck through Apple security with a ‘legitimate’ certificate. This permits the application to install just fine without anyone suspecting that they are installing a virus.

Mac is the safest computer operating system in the world, right? Well, maybe not so much anymore.

Patcher is the newest one and to date, it has affected hundreds of Mac users. This one takes advantage of people, well, people who don’t like to pay for software. A download of an Office Crack/Patcher seemed like a sure thing, but instead of activating your Office, it encrypts files and…wait for it…demands a ransom.

Cracked Software Ransomware

So, what is the moral of the story here?

Simple. Pay for your software and never download cracked software. As it turns out now, Mac is not so much better than PC in this department.

Macworld has issued a complete list of active Mac Ransomware variants and, believe it or not, that list is far from short. You can take a look at it hereWhen I went over it, I counted 12 different Ransomware names. Ouch! And this list, as I mentioned already, is expected to grow considerably.

If decryption was somewhat possible in some cases on Windows-based machines for some older Ransomware variants, you can forget about decryption tools for Mac. To date, there are no available decryption tools for any of the Mac-based Ransomware out there. 

Sadly, the only way you will be able to get around a Mac Ransomware infection is to bite the bullet and pay the ransom demand. That is if the developers of Mac-based Ransomware choose decryption over sending you decryption keys as part of the ransom demand.

So, what is the solution here?

Well, if Mac expects to continue to be the ‘better’ operating system on computers it has to start to take into account how real a threat Ransomware has become for its users. Mac is no longer bulletproof. This means that future Mac OSX versions will have to feature a real update on security and firewall protection.

Remember, the way in which early Ransomware get past Mac security was with a fake (okay, according to the system it passed as legit) certificate. The list of known Mac Ransomware variants is growing and each Mac OSX update will have to address these.

I’ve explained before that hackers and Ransomware developers are a smart bunch of people. They will likely always be about a step ahead of the Mac OSX developers. But for now, if you have been a Mac user forever because of how safe you felt when online, that reality has changed.

I do expect Apple will step up and do everything possible to push their product back to the level where it has been from the very start. In fact, I view Mac-Based Ransomware as a sign that in the online world of hacking, no one is truly safe from infection and with something as nasty as Ransomware, it was only a matter of time before it reached the Mac community.

Author Bio

Yevgeniy Kapishon is a hardcore techno enthusiast, a senior data recovery engineer and a blogger at ADRS® Aesonlabs Data Recovery Systems, living in Toronto, Canada. In his free time, he likes to wander and explore the back alleys of his neighborhood or carve into his favorite sci-fi flicks.


Kokou Adzo

Kokou Adzo is a stalwart in the tech journalism community, has been chronicling the ever-evolving world of Apple products and innovations for over a decade. As a Senior Author at Apple Gazette, Kokou combines a deep passion for technology with an innate ability to translate complex tech jargon into relatable insights for everyday users.

10 Comments

Your email address will not be published. Required fields are marked *

  1. The MacWorld article you link to only lists _one_ repeat _one_ malware which falls in to the category of Ransomware and this is the KeRanger mentioned in your article. By Ransomware I refer to malware that encrypts your files and demands a ‘ransom’ to (hopefully) get them decrypted.

    The rest of the malware mentioned in the MacWorld article is of other types it even includes reference to ancient Word Macro malware.

    Whilst the point of your article – that there is an increasing amount of Mac malware is valid and yes there is now some Ransomware that attacks the Mac I think you have grossly over exaggerated the state of Ransomware for the Mac – at least on the basis of the evidence you have supplied which only lists two examples.

  2. All fine and good, but the best solution is simply a non-local backup of your stuff. If the ransomware gets you, restore your files and tell the scammers where they can stick it.

    1. I can’t agree with you more on this. But let’s face it, not everyone backs up, especially to non-local backups

    1. Hey Mike. Well, it could be the remedy sometimes yes, and for sure backing up is highly recommended. But, a lot of the times those backups also get encrypted. Backing up and keeping those backups offline, even from the internal DHCP server could be a solution, yes.

    2. You are talking theoretical at this point though. As there is no current ransomware attack on the Mac that can’t be recovered by a time machine backup. Yes it could be done, but it hasn’t been seen in the wild yet.

  3. I agree that mac users need to be aware but you are doing a bit of fear mongering here. Although there are dozens of these pieces of code out there VIRTUALLY ALL ARE LOGGED IN XPROTECT. It should be noted that xProtect is updated automatically without user intervention so the real threat is only those versions that are new enough that Apple hasn’t yet added them.

    At least that is my understanding

    1. Thank you for your comment. Well, the availability of xProtect doesn’t still make the OSX immune to Ransomware attacks. Just like Windows Bit defender doesn’t really always protect the PC from Malware. And the list of new smarter variants is only expected to grow both for PC and OSX systems.

      So no fear mongering here. Just letting the community be aware of the potential threat – is all.

      Cheers!

    2. I agree it doesn’t make he Mac immune but it talking about 12 ransomware programs (all that are protected against) and saying things like.

      “Mac is the safest computer operating system in the world, right? Well, maybe not so much anymore.”

      When you know that for ever 1 piece of malware on the mac there are a thousand for the PC. This means that although Microsoft has similar built in defenses, the likely hood of one going un noticed or just running into one is vastly more likely.

  4. It’s still up to the user to install it by the sounds of it as well. On Windows, just visiting a site or email you get infected.