More Mac Ransomware Sure to Surface Despite Halt to First Attack

By Wayne Rash  |  Posted 2016-03-07 Print this article Print
Macs Ransom

"Future versions will be set so that it will encrypt the Time Machine backups," he said, meaning that you won't be able to just go back a few days and restore from backups using the standard backup software.

Fortunately, you don't have to depend on Time Machine for your backups. "If you're using an offsite backup, that data will be safe," Glenn said.

"Once you're infected, paying the ransom is often your only hope," said Chris Doggett, senior vice president of Carbonite, which provides cloud-based backup and recovery services. But Doggett also said that if you have properly done backups, then it's probably not necessary to pay the ransom since you can restore the files that were encrypted from your backups.

"You want to make sure your backups are not a single-event-only backup," Doggett explained. "You want to have multiple copies that are archived for some time." The reason for using backups that are older than a few days is because you don't want to restore the malware itself, which may well have been backed up in the most recent backup files.

The KeRanger malware was unusual in that it lay dormant on the computer it was going to infect for three days before launching the infection. According to Doggett, this meant that the hapless user wouldn't be able to tie the infection to the download of the Transmission software. But the three-day delay is unusual, and in the case of KeRanger, it meant that Apple had the time to prevent its execution before it was able to encrypt very many users' data.

"The guys who are doing the ransomware know that most desktop security is likely to detect malware before long, typically measured in hours," Doggett said. "The longer they wait, the less likely it is to be effective." In addition, commercial cloud backup vendors, including Carbonite, will scan the backups they receive for malware and eliminate it if they find it.

Once the ransomware is recognized and the malware removed, then all that remains is to restore everything that's encrypted. Depending on how much the ransomware was able to attack this could only take a few minutes, or it could take hours or even days to decrypt the data files for an entire business.

Either way, copying unencrypted versions of the files to replace the encrypted ones is only a matter of time. If it turns out to be a long time, many cloud backup vendors will speed things up by sending you the backups on a disk, which is much faster than a download.

But the age of innocence is truly over for Mac users if it ever existed. Malware for the Mac has been around for years and now ransomware has appeared. That it will return is a certainty, and the only way to prevent it from taking out your data and business operations is to use the same precautions as the folks with Windows do. Try to prevent the malware from hitting you and back up your computers often. Meanwhile, welcome to the real world.



Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel