Is MacOS susceptible to ransomware attacks? On a recent episode both David and Stephen said they do not run antivirus software. Sophos, a macOS antivirus software claims it can prevent ransomware attacks.

Thoughts?

Theoretically it’s possible.

Practically it’s unlikely.

Never ran an antivirus on either macOS or Windows for the last 15 years. Computers do not viruses from the air. They are as clean as their inputs.

It’s possible if a user with admin rights installs software and overrides all the warnings and safety measures Apple put in place.

Or a person with admin rights who doesn’t update their software. Most ransomware spreads using vulnerabilities in operating systems (usually in Windows but it could be possible in theory on Macs)

I’ve seen it at work. Some ransomeware is cross platform and relys on nothing more than a person running something by mistake, thinking they’re opening an attachment or some such thing, no admin rights necessary.

The following Macworld page on Can Macs get ransomware and how to stop a ransomware attack seems to offer a clear overview.

I’ve never run antivirus on any Mac I’ve owned. Antivirus causes more problems than it solves.

It’s definitely possible, but not something I lose sleep over, as I take precautions.
I run Malwarebytes on my two machines, and Malwarebytes and Sophos on my girlfriend’s laptop, as she seems more susceptible to malware, etc. (I had performance issues with Sophos on mine.)
I also periodically run a scan for Malware with CleanMyMac.

I also keep a backlog of backups, in the event my data were encrypted without my knowledge.

So I think it boils down to:

• What can you afford to lose?
  • Business records?
  • Research data?
  • Family photos?
  • Candy Crush high scores?
• How exposed are you?
  • Do you have 3-2-1 backups?
  • Are you connected to the internet?
  • How easily fooled are you into installing “system scan” software, etc.?

There are probably other factors I’m not thinking of at the moment.

Malwarebytes is good but only works for web browser attacks.

Sophos finds and blocks malicious code. Finds it in email attachments, downloads, external storage the second you connect it etc etc.

Agreed.

Good article. Thanks for the pointer.

I keep most of my data in the cloud. Does this offer any protection against these sorts of ransomware attacks? Can they lock out my data in DropBox, iCloud or my work’s MS One Drive thing?

You couldn’t be more wrong… That’s just not how the program works. What purpose would that serve?

I am not going to argue about that. Figure it out yourself.

Um. what? No. MalwareBytes has a real-time scanner that will check files that come in from whatever manner. However, that’s only available in the paid version.

(I also don’t run MalwareBytes real-time scanner because I found the CPU impact way too high and the actual threats way too low.)

“RansomWhere”

I keep meaning to recommend the oddly-named RansomWhere which is a free program from Patrick Wardle.

RansomWhere tries to detect ransomware-like activity automatically without looking for a specific piece of malware. Quoting its product page:

Let’s try to generically thwart OS X ransomware via math!

By continually monitoring the file-system for the creation of encrypted files by suspicious processes, RansomWhere? aims to protect your personal files, generically stopping ransomware in its tracks.

I have run this before, and there are some false-positives, but it pops up a warning which allows you to continue as long as you know that the activity is safe.

The benefit of this approach is that it can potentially catch new ransomware malware before it’s discovered anywhere else.

I also did not notice any time of system-slowdown by using RansomWhere.

Cloud data isn’t protected if it’s synced locally.

Let’s say you have iCloud Drive data. Ransomware hits your computer, and encrypts everything. Your iCloud data now helpfully syncs with the iCloud server, and the iCloud server now has encrypted data.

The only real saving grace would be if your data was large enough that the sync couldn’t complete, or if the ransomware locked your computer before the sync happened.

If your cloud provider offered versioning you could probably do a rollback, but it would likely be much more hassle than being able to restore from a local backup of some sort.

Okay. I’m no “expert” but I know a little bit. So you’re saying an EDR that’s being deployed at major enterprises, schools, hospitals etc. only protects against one threat vector? Do you know how EDR’s work?

So how does Sophos “find” malicious code? Here’s a hint; neither Malwarebytes or Sophos “finds” any code. Generally speaking they analyze file metadata against known malware and look for “indicators of compromise”. If they find an indicator they associate it back to the file and then block the malicious file from running.

I’m not going to argue with you. You’ve showed your hand by posting affiliate links and trying to justify it because you’re giving “free advice”; ← your words. No affiliate link this time, but it didn’t stop you from piping up and making a baseless claim. Be well “expert”…

Hey @tjluoma,

I have a friend who has his whole business data on Dropbox, tens of years of designs and graphic files, and he asked me what the latest of protection from ransomware in the Mac world. Because, of course, as a designer, his shop is mostly Mac-based.

Have you been running RansomWhere lately, on newer version of the OS and Apple Silicon?

The latest release from Patrick Wardle is dated 06/11/2018 and I am always a little worried of running code which is 3 1/2 years old on my M1-powered MacBook Air.

For the job I do, I run SentinelOne’s EDR, but it’s an enterprise product, and not one suitable for home use, or for small/medium businesses.

Many thanks for any suggestion on this topic!

Bye, Luca

Regardless of the malware questions/issues, I’d recommend you ask your friend “why” their whole business data is on Dropbox. What problem are they fixing? Collaboration? Business Backup? Disaster Recovery?

If the latter two it would be good to think again as Dropbox doesn’t really help, and probably hinders, esp. if data their exclusively (which I hope not … just noticing).