While waiting for data capture to finish I got to talking with the 2nd Level who is helping me out with a problem.
I asked him about ransomware and he indicated that if you turned on file vault which encrypted your hard drive that then ransomeware could not encrypt an already encrypted file system.
Does anyone know if that’s true
How much does File Vault slow down the file system?
Does it cause any problems with Programs like Devonthink? Etc.
This claim doesn‘t make sense to me. You can easily encrypt files on an already encrypted drive. Examples:
Create an encrypted ZIP archive on a FV encrypted partition
Create an encrypted sparse bundle on a FV encrypted partition (that should actually be FV-ception?)
Create an encrypted DOCX or XLSX file in Word or Excel (via Save as-dialog) on a FV encrypted partition
Create an encrypted VeraCrypt image file on a FV encrypted partition
Create an encypted DevonThink database on a FV encrypted partition
FileVault is still a great feature, and especially on mobile Macs, it is more or less a must-have, in my opinion. Ever since the day of FileVault 1 are over, it‘s very reliable and the performance penalty should not be relevant for most people‘s daily use, because modern CPUs have baked-in AES support among other reasons.
Maybe one could argue that FileVault saves you from a bad actor easily accessing your Mac physically and then installing some malware… but I would not let that scenario count.
Of course, as always, don‘t forget your password/save it somewhere safe and don‘t forget to create backups.
FileVault on a modern Mac is a no brainer. Apple turns it on by default, too. Frequent backups with some kept for a long time is what will save you from ransomware.
File Vault does not slow down the system. In fact, if you have a T2 or Apple Silicon Mac, your internal drive is already being encrypted, even if you haven’t enabled File Vault. All turning on File Vault does is use your password to encrypt the key.
Likewise it shouldn’t cause any problems with DEVONthink or other software. One situation where it can be an issue is with a headless Mac that you log into remotely using screen sharing. You need to enter your password in order to unlock the drive, in order to run screen sharing. Outside of this very specialized niche, there’s really no reason not to use File Vault.
That said, the idea that File Vault will prevent ransomware from encrypting your files is BS. File Vault is a great feature that will protect your data, but it’s not designed to guard against malware that’s already on your machine.
But @SteveU75 is not running his own healthcare system. And a large commercial enterprise should not need any of us to tell them how to protect themselves. Although sometimes it seems like it does.
Yeah, for personal use, backups are mostly an easy path to recovery, but even for small companies, a successful ransomware attack is a disaster (due to unavoidable downtime until the entire infrastructure is safely restored), almost no matter how good your backup strategy was. (Obviously, the disaster will be 1000x larger without backups.) Always enjoyable to read news comments on those cases. „Oh they really should have used a Firewall and created some USB stick backups, then that whole zero day attack totally couldn‘t have happened and even if, how hard can it be to wipe your entire corporate infrastructure and then copy some files back to the PCs.“
I really hope ransomware gangs will be treated like the terrorists they actually are. But anyways, always stay cautious, don‘t click weird links sent via email and ideally never open .docm, .xlsm, .pptm or .doc, .xls or .ppt files, because those old formats could actually hide macros inside them. (Are macros actually a realistic threat on macOS or only on Windows?) That‘s more effective against ransomware than FileVault.
The “it’s already encrypted” logic reminds me of the movie, “What About Bob?”, where Bill Murray’s character would pretend to have diseases. His logic was that if he pretended to have something, he couldn’t actually have it.
Although, out of curiosity:
Does that basically mean that there isn’t a lot of benefit to using FileVault anymore? Or could the Apple Silicon Macs still be hacked in such a way (practically speaking) that they’d give up the data on the drive?
Yeah. The idea that people think you can back up an entire corporate infrastructure onto some USB drives is always hilarious. Of course many of those same people think that “moving a file to a USB drive” is backing it up. Even if that’s now their only copy.
Although, true story…
One of my ex in-laws managed to shatter a flash drive in a way that cracked the circuit board. It had some pretty important data on it, and she was wondering if I could get the data off. I told her I couldn’t, but I helpfully researched a couple of companies that could do pretty cool things with flash drive recovery - they were just expensive. I think we were guessing it might cost a few hundred dollars.
The response - and I quote almost verbatim - “That’s complete BS. The whole drive only cost $20.”
Y’know…because a professional data recovery person should obviously set their rates based on the sale price you got on the drive at WalMart. Everybody knows that…right?
My understanding of how it works is that the drive is always encrypted using a randomly generated key. However, if you don’t have file vault on, the Mac just automatically uses the key to decrypt data from the drive whenever the machine is booted. What turning on File Vault actually does is use your password to encrypt the key. It’s as secure as the password you use for File Vault.
The arguments being 1) The randomly generated key is probably at least as secure as anything a user could come up with, and 2) The user doesn’t have to remember the randomly generated key. Right?
My understanding is the FileVault password is in addition to the encryption provided by the T2 controller. So if you choose a weak password for FileVault, you won’t have weakened the default T2 encryption.
FileVault will protect you if, for example, someone boots your computer in target disk mode. They won’t be able to use your laptop as an external drive without the FileVault password. Basically, any scenario where the T2 is activated is one where FileVault could potentially benefit.
No, it’s not true. It’s not even logical and sounds like something said by someone who is too unsure of themselves to admit when they don’t know something.
Ransomware is not turning on FileVault and not telling you about it. It is encrypting files on your drive. FileVault is completely irrelevant.
If you have an SSD, it’s unlikely that you would notice it.
It does not.
How to protect yourself from Ransomware
There is a free app called RansomWhere from a Mac security researcher. It will try to monitor your filesystem for processes that are encrypting files — and it will stop that process and ask you to confirm that you want to do it.
Is it foolproof? No. You can fool it. It will stop legitimate processes and you will have to say "yes, that is a process that I want to run.
Will it catch new ransomware? Possibly, hard to prove.
Is it better than nothing? YMMV. I think so.
The only real protection, I suppose, is a copy of your data on write-once media, which is unlikely to be feasible for most people.
I manage information security for my organization; keeping ransomware from being a problem is my responsibility (and something that (literally) keeps me up at night). The assertion that an already encrypted drive is any protection from ransomware is complete nonsense.
The recommendations that I give to our users to protect themselves from ransomware (or to be able to recover from an incident) are:
Obsessively keep your OS and software 100% patched and up to date. This goes double for browsers.
Have a good backup plan and follow it religiously. Test your backups. Keep at least one of them completely offline (not in the cloud, not on a plugged in drive, 100% disconnected and offline). If you’re hit by ransomware, your backups are your best bet for recovery and at least one of them absolutely must be kept out of reach of the malware.
Take care about what software you install and where you get it. Install software only from reputable sources.
Avoid double clicking on things to open them. Yes, really. (Installed applications are fine, but anything else is best avoided. Right click and “Open with…” instead)
Treat emailed attachment with caution. (See 4.)
You can’t keep yourself 100% protected, but if you do these things you’ll be reasonably safe from falling victim, and in a good place to recover if you do.
One more thing to consider: A relatively recent trend in ransomware attacks is to not only encrypt data, but to also exfiltrate the data and threaten to expose it if the ransom isn’t paid. Right now that’s largely limited to attacks on organizations rather than individuals, but I would not be surprised to see it migrate. This is not a problem for you if you’re okay with public exposure of everything on your computer, but most of us have at least some private or sensitive data on our computers.
A. Thank you for sharing this whole post. It’s good to hear from someone with expertise.
B. To reiterate the above: If you have private data on your computer, be sure that it is encrypted beyond FileVault. You can keep things in 1Password. You can make a password-protected DMG. There are options. But don’t risk exposing your Super Sekret Business Plans, The Colonel’s Recipe, or any pictures or files you wouldn’t show your mom.
Amazon has offered S3 object lock for a few years which, as I understand, combined with the proper backup software, can create immutable backups. That feature is now available from other cloud storage vendors.
Not directly addressing the OP’s question, but here’s an image that I have used in talks and presentations about ransomware. It’s FitBit heart rate data from an employee after they’d received a (fake) ransomware webpage warning after they’d been doing something they shouldn’t have been doing. It’s shared with permission
You could actually do „pull“ backups rather than „push“ backups, i.e. setup a server which accesses your Macs with read-only-rights and copies the files over.
Or, you use a local LAN sync service such as Resilio (and there‘s another newer one, SyncThing?), sync your most important data via LAN to your server, and then have your server create a versioned backup of those files. Just make sure to really harden that server…
For personal usage, this should be enough or even overkill. Nice addition to regularly exchanged offsite backup hard drives in any case.
Hypothetical question, if you installed ransomware and unlocked it on your own device, would the same ransomeware be able to encrypt your files? I’m just thinking out loud but if the software is already installed, then it wouldn’t get installed a second time and couldn’t be used as an attack?