Despite the fact that Macs are equipped with robust defenses against malicious code, some infections can get around these mechanisms. Prevention is certainly the best cure, but what to do if a harmful program such as ransomware has compromised your computer? The good news is, you should be able to recover from the attack in most cases. Complete remediation could be a challenging task, though.

Can you purge ransomware from your Mac?

If ransomware has plagued your Mac machine, don’t panic – both removal and data restoration are usually feasible, although, in some scenarios, this is easier said than done. There are ransomware strains that thwart the recovery of encrypted files unless you purchase the secret decryption key from the attackers. The increasing complexity of these raids means the victims have fewer options to reinstate their important data.

The appropriate method of troubleshooting depends on the type of Mac ransomware you are confronted with. If the FBI MoneyPak hoax has locked down Safari, you can sort out the issue by simply clearing the browser caches and history. File-encrypting ransomware is much more dangerous because it renders data inaccessible by means of cryptography. If such an attack is underway, removing the malicious code is half the battle. Decrypting the hostage data is a critical element of fully recovering from this incursion. Cybercrooks piggyback on your inability to do it and they extort money from a position of strength.

The most common forms of Mac ransomware are as follows:

  • File-encrypting malware, or file coders, scramble data on your Mac by leveraging a cipher. The operators of these campaigns instruct their targets to submit a ransom for private decryption keys. A deadline is typically used to pressure the victims as the attackers threaten to destroy the secret keys after it expires. This category accounts for roughly 90% of all ransomware onslaughts.
  • Screen lockers – the term is self-explanatory. These culprits prevent you from accessing your Mac or specific features by locking the screen or web browser. Then, they instruct the victims to pay for regaining access. The FBI MoneyPak fraud typifies this particular attack vector. Whereas screen lockers are more frequently encountered on mobile gadgets, Macs can be targeted as well.

Ways to get rid of Mac ransomware and restore your data

Step 1: Isolate the contaminated computer

In case ransomware has infiltrated your Mac, be sure to disconnect it from your network right away by unplugging the Ethernet cable or disabling the wireless connection. This way, you can prevent the malicious code from infecting other devices on the same network.

Step 2: Determine the strain of Mac ransomware that hit your system

As soon as you have isolated the contaminated machine, the next thing on your to-do list is to find out which lineage of ransomware you are faced with. This information can give you clues about the further course of action for a successful recovery. The worst-case scenario is if you encounter species like KeRanger, which are known to utilize strong crypto to mutilate files. Unlike these file coders, screen lockers are much easier to handle.

It’s a good idea to take a shortcut by using the Crypto Sheriff service by the No More Ransom Project. Masterminded by law enforcement agencies (the Dutch National High Tech Crime Unit and Europol’s European Cybercrime Centre) and cybersecurity firms (McAfee and Kaspersky Lab), this tool quickly identifies the strain of ransomware based on its ransom note and file encryption technique used. If a free decryption solution is available, Crypto Sheriff will let you know and provide the link to download it.

Also, do your homework and browse reputable tech support forums to learn more about the Mac ransomware family you have come across. Malware researchers provide the latest details in the dedicated threads so that victims can easily find out whether the data is decryptable and follow additional security recommendations to minimize the damage.

There are Mac ransomware pests that blemish encrypted files with a specific extension and drop a rescue note onto the victim’s home screen and into directories with hostage data. For instance, the FindZip ransom Trojan appends the *.crypt string to every affected file and sprinkles decryption instructions named README.txt, DECRYPT.txt, or HOW_TO_DECRYPT.txt across the breached Mac. You should look up these symptoms on ransomware discussion forums to find the right thread that may shed light on the recovery details. Here are a few resources you should definitely visit:

  • Bleeping Computer Help Forum
  • Reddit (r/Ransomware subreddit)
  • Computer Hope Forum
  • Apple Support Community

Step 3: Eradicate ransomware from your Mac

Now that you have explored the ins and outs of the strain that hit your Mac, it’s time to make it vanish. There are several strategies you can adhere to:

  1. Wait for the offending program to uninstall itself, which is often the case
  2. Use automatic security solution for Mac
  3. Remove the infection manually

Method A: Check whether the malicious app executed a self-removal process

Having encrypted one’s files, some types of ransomware run certain commands to remove themselves from the host computer. From the attackers’ perspective, this is a way to prevent their code from being extensively analyzed. In-depth scrutiny may reveal loopholes potentially allowing researchers to find weak links in the encryption logic and create a recovery tool.

Method B: Leverage an AV solution to get rid of the ransomware

Thankfully, there are quite a few effective Mac antivirus tools to choose from. They can identify and delete mainstream ransom Trojans in a hassle-free way. An additional benefit of using a reliable security suite is that it will safeguard your machine against emerging threats further on while stopping any unauthorized file encryption attempt in its tracks.

Method C: Obliterate the ransomware manually

This tactic is the hardest to implement and requires advanced tech skills. If you are up to giving it a shot, make sure you resort to recommendations on the support forums listed above. The experienced forum members keep tabs on the newest findings and breakthroughs in combatting the ransomware epidemic, so you can get a ton of helpful information there to remove the threat for good.

Step 4: Get your data back

Ransomware removal is important but it doesn’t reverse the sketchy encryption. Peruse the methods below to try and recover your valuable files:

Method A: Restore from a backup

The easiest and most effective way of reinstating your data is to download it from backup storage unaffected by the ransomware. This technique is applicable if you have been regularly backing up your files to the cloud or external media. Even if this isn’t the case, though, you still have a good chance of accessing your important files by means of Time Machine, a backup feature built into your Mac. Not only does it allow you to roll your operating system back to its earlier state, but it can also restore previous versions of your files from local snapshots.

Another worthwhile option is to go into your iCloud account and check it for images and documents retained by Apple apps you use. In some cases, automatic data recovery tools such as Wondershare Data Recovery for Mac might come in handy.

Method B: Leverage decryption software

Cybersecurity analysts have succeeded in cracking the cryptographic implementation of some ransomware lineages. For example, there is a free tool that decrypts files locked by the above-mentioned FindZip threat. This is the exception rather than the rule, though.

Most Mac ransomware infections in the wild cannot be decrypted for free at this point. If one of them has made a mess of your data, you have basically two options: restore the files from a backup, or wait and hope that researchers will create a recovery tool in the near future.

Is Mac ransomware a serious threat?

In contrast to a widespread misconception, Mac computers are susceptible to ransomware and other types of predatory code. They used to be considered invulnerable because cybercrooks mainly zeroed in on Windows PCs due to their larger user audience. To its credit, macOS boasts highly effective defenses against malicious software and therefore Macs are more difficult to infect. Furthermore, notorious ransomware such as NotPetya and WannaCry simply won’t run on a Mac because they cash in on security flaws inherent to the Windows architecture.

Although Macs are less likely to get hit, relying on their native protection alone is a risky business. Mac malware authors are constantly refining their techniques and these attacks are rapidly evolving. According to experts’ findings, ransomware targeting Apple devices saw a whopping 500% increase in 2018 versus the previous year. Such an unnerving trend will probably continue, so you are better off exercising greater caution with suspicious downloads and staying on top of the Mac malware landscape.

How to mitigate the damage from a Mac ransomware attack?

First things first, make sure you keep your data backed up. At the very least, configure the Time Machine tool to make regular automatic backups of your valuable files. As an extra layer of protection, prioritize your files and additionally keep copies of the most important ones on external media such as a thumb drive or a hard disk. Keep in mind that a decent backup strategy makes a ransomware attack futile regardless of the strain you are dealing with.

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Ransomware stock photo by robert coolen/Shutterstock