Mac Ransomware is Close & You’re at Risk

As Mac users, most of us have been quite smug about the fact that our operating system isn’t as vulnerable to trojans, malware and ransomware as those other guys running Windows. While mostly still true, the growing popularity of Macs means that we users of OS X are A LOT more at risk than ever before.

The first Mac OS X ransomware has been demonstrated by a Brazilian cybersecurity researcher Rafael Salema Marques (see Mabouia, the first crypto-ransomware for Macs arrives). Since the concept is now out, it’s just a matter of days or weeks before we see some malware like it in the wild. The security software and services firm, Symantec, has confirmed the concept is real and would work.

Ransomware is the *worst* type of infection since the black-hat hackers encrypt all of your files and “hold them for ransom” until you pay a fee. There is NO WAY TO RECOVER your files unless you pay (they use RSA-2048 bit encryption) and, if you do pay, will usually continue to extort money out of you.

“But a black-hat hacker has to gain root or administrator-level privileges in order to infect a Mac, right?” While true, this crypto-ransomware encrypts all of your *personal* files (e.g., documents; photos; movies; etc.) and holds the decryption key until you pay up.

Researcher Marques, the maker of the proof-of-concept ransomware, said he has no intention of publicly releasing the malware. While that’s laudable, in my experience once the information about an exploit is out, people figure it out, make the malware, and release it.

PROTECT YOURSELF AHEAD OF TIME
To protect yourself you should use the standard advice for shielding yourself online:

• Don’t follow links in any email you didn’t initiate (e.g., like any updates to Flash. Go directly to Adobe’s website to download the Flash player installer if you must)
  • Make certain you know the person sending an attachment before you open it
  • Even then, stop and read the email. If anything seems “off”, don’t open the attachment! Contact them and ask if they sent it.
  • Use an email service that scans attachment (e.g., Gmail). If you use a lot of other email services, you can check and send emails from those email addresses inside Gmail and use its attachment scanning capability.
• Stay off bad sites with illegal content, beware of advertisements on websites – they can be malicious sometimes
• Limit the amount of browser extensions you use
• Don’t install apps from untrusted sources (that means the download sites like cnet.com – they bundle junk with the installers). Try to use https to get software if the developer has it enabled
• Avoid using an admin account for general usage. Instead, set up an admin (root) account and a second account, the latter is the one you’ll use day-to-day
• Set a good admin password
• Update the OS & your software the moment updates become available (or as soon as you can)
• Secure your network (wifi needs passwords, ideally WPA2 security, change the router/ modem admin password from the default one)
• Enable the firewall on the Mac (System Preferences > Security)
• Use different passwords for all online accounts and use a password manager (e.g., LastPass; 1Password)
• Avoid leaving portable computers in public places in an unlocked or logged in state.

“BUT I USE TIME MACHINE FOR BACKUP!”
If you use Time Machine to backup your Mac, make certain you keep a second copy of the disk (and all of your files) in a safe place. Yes, this is a pain-in-the-arse to do—especially since Time Machine is a set-it-and-forget-it type of backup—but it’s better than losing everything, right? Or you could use an online backup service like Crashplan or Carbonite and then your files would also be in a completely separate location in the cloud.

Why would your Time Machine backups be vulnerable? A Time Machine disk is normally connected all the time. That means the ransomware would most likely encrypt that data too. You could use an online service for backups, that way the files are stored away from the Mac, so it’s generally a good idea to do this anyway to protect you from fire, theft, etc. Some ransomware has been encrypting all attached storage, even network based data, so any other Macs on your network could be vulnerable too!

IF I GET HACKED, THEN WHAT?
Don’t pay the ransom since the hackers may-or-may-not unlock your files. They’ll likely extort you for more money too. For certain, the malware will remain on your machine, ready for them to come back to you over-and-over again.

As I mentioned at the outset, the ransomware hackers usually use RSA-2048 bit encryption and even the National Security Agency would have to apply tremendous resources to try to get in to a system encrypted with this level of encryption. You would have zero chance so, without a good backup that’s NOT connected to your computer or network, you’ve lost all of your personal files. So backup and follow the tips above to stay safe.