In cybercrime circles, ransomware is rampant. Once it infects your computer, it encrypts all the files and then presents a ransom request – pay to get the decryption software needed to recover the data.
Ransomware was in the news all year, and the attack on the Colonial Pipeline especially spent weeks in the headlines. Attacks increased by 485% in 2020 and show no signs of declining. The amounts demanded by the attackers are also increasing, and computer manufacturer Acer and Apple supplier Quanta are demanding $ 50 million. Worse, some ransomware attackers add an extortion component in which they threaten to disclose confidential information if the victim fails to pay. It’s scary, we know.
First, the good news. While there are several examples of ransomware targeting the Mac, none of them have been particularly well done or (as far as we know) successful. Currently, the chances of Mac computers falling victim to ransomware are very slim and there is no reason to panic.
However, complacency is dangerous. There is a trend towards “ransomware as a service” (RaaS). RaaS operators maintain ransomware malware, offer a portal to pay victims, and provide “customer service” to victims who do not know how to pay with Bitcoin or other cryptocurrencies. Affiliates spread ransomware and share revenue with operators. It’s a neatly small cybercrime enterprise, and the separation of malware development and network penetration tasks has made it much easier for criminals to take advantage of ransomware. It’s only a matter of time before he turns his attention to Macs.
Basically, protecting your Mac from ransomware is no different than protecting it from any number of other security issues. Follow this basic tip:
- Update Macs & Applications: Always install macOS and security updates and update other applications. With each update, Apple addresses a number of security vulnerabilities, removing the vast majority of them before attackers can exploit them with malware. From time to time, however, Apple’s security notes include this sentence: “Apple is aware of reports that this issue may have been actively exploited.” This means that there may be malware targeting that vulnerability; install such updates immediately!
- Use strong passwords with Password Manager: You’ve heard this from us and you’ll hear it again, but it’s important that everyone in your organization uses strong, unique passwords through a password manager like 1Password, LastPass, or even Apple’s iCloud keychain. Just one weak password could allow attackers to attack a computer or server and install ransomware.
- Be suspicious of links and attachments: Make sure everyone in your organization is careful when opening attachments or clicking on links in e-mail messages from strangers or in some way looking incorrect. Phishing attacks are one of the primary ways to distribute malware. (If your group needs phishing awareness training, contact us.)
- Never download pirated software! Even apart from the fact that it is ethically problematic, the latest piece of Mac ransomware – ThiefQuest – was originally found in a malicious installer that was allegedly intended for the LittleSnitch network security utility (ironically, eh?). Download apps only from the developer’s official website or the Mac App Store.
- You often back up: Backups are essential, and even if you fall victim to ransomware, you can restore data before the point of infection. The caveat is that some of your backups must be isolated from the Mac in question – some ransomware intentionally tries to encrypt or delete related backups.
- Ransomware monitor: Although ransomware typically tries to stay under radar while encrypting files, the free RansomWhere utility can identify processes that quickly create encrypted files. It will probably also mislabel some legitimate behavior (as in the picture below), but it is still a useful tool.
- Have anti-malware software: Basically, if you follow the above tips carefully, you will be fine. But it’s a good idea to have an existing anti-malware application and run it occasionally — if you don’t already have one, try the free version of Malwarebytes. If you — or your users — aren’t good at basic precautions, you may want to constantly run malware protection software or set up broader network protection.
- Make a disaster management plan: Every business needs to think about how to react to a fire, flood, earthquake or other disaster. Be sure to include redemption software when creating a disaster management plan. How would you close infected systems, rebuild them from scratch, and restore uninfected files?
Setting up a backup strategy that protects against ransomware requires a little more thinking. As mentioned, ransomware often tries to make backups useless in one way or another. You must have versioned backups that allow you to recover from a pre-ransomware infection, and those backups should be isolated from the computer and network on which you are backing up. Techniques that help include:
- Isolate drive backups: Rotate multiple Time Machine drives, with at least one always off. However, this strategy assumes that you will detect a ransomware infection before rotating all the drives. Ransomware could remain undetected for weeks or months before activation. Manually run the current malware protection software before connecting the backup drive.
- Use an online backup: Set up an online backup system that will maintain versions of backed up files, such as Backblaze with its Extended Version History feature. Retrospect 18 also supports object locking on cloud storage systems, which it provides immutable storage. It ensures that no one – not even someone who acquires root credentials – can delete backups during the retention period.
- Consider tape backups: Tape backups have long been a solution for online backup, but as the price per gigabyte of hard drives has plummeted and online backups have become feasible, tape has largely fallen. But tape backups are still an option. They can hold a lot of data and are easily kept offline in a separate location. In addition, some tape drives may even work in write, multi-read (WORM) mode, which guarantees that data cannot be erased or overwritten. Tape requires more human interaction than other backups, but is still a cost-effective way to protect hundreds of terabytes of data from ransomware.
Again, there is no reason to panic about ransomware, but if it could significantly harm your business, you should take steps to reduce the chances of it hitting you and ensure that you can recover your data if your computers become infected. There is no single approach that is ideal for everyone, but we can help you think about what it is and develop a strategy that balances protection, cost and effort.
(Featured image from iStock.com/chainatp)
Friendly communicator. Music maven. Explorer. Pop culture trailblazer. Social media practitioner.