Mac – How (in)vulnerable is OS X to encryption ransomware

encryptionfilevaultSecuritytime-machine

These days, malicious software seems to be infecting Windows computers, encrypting their data against their will, and asking for a Bitcoin ransom in exchange for the encryption key.

  1. In order for such a software to run "successfully" on an OS X machine, would the user first have to run it and give the sudo password? Is such a threat conceivable on OS X without the user doing this?

  2. Would FileVault protect against this? Could a ransomware program, if unwittingly installed by a user (who also confirmed with the sudo password), take your FileVault data hostage? Could it take hostage also your TimeMachine backups even if they are encrypted?

  3. In general, how (in)vulnerable is OS X to encryption ransomware, and how careless/unsavvy do the actions of a user have to be in order to actually have his or hers data taken hostage?

Best Answer

At the moment, it's relatively safe. Most ransomware has targeted Windows users, and so far, the ransomware that has targeted Macs has been relatively crude. The latest (very crude) Mac ransomware threat did not destroy Time Machine backups, but was not stopped by FileVault.

In general, the steps you describe in part 2 of your question are unlikely to help protect you; encrypted data is not harder to re-encrypt than unencrypted data.

Vulnerabilities that don't require what you describe in part 1 of your question are rare, but are found from time to time. Mac Ransomware that uses one has yet to be seen. It's likely that Mac Ransomware will slowly get more sophisticated, and careful, savvy users are unlikely to lose their data to ransomware anytime soon. But I can't predict the future. This answer may live on for years and such ransomware is likely to turn up eventually. But the meaning of "careful, savvy user" will likely change over time as well.

At present:

Ransomware will have a relatively hard time deleting or encrypting online Time Machine backups. Even as root/superuser, it's hard to delete Time Machine backups:

sudo rm /Volumes/BK1/Backups.backupdb/Orion/2017-03-18-184155/BOOT/var/du--sortedALLk.13224.bak
Password:
override rw-r--r--  root/wheel for /Volumes/BK1/Backups.backupdb/Orion/2017-03-18-184155/BOOT/var/du--sortedALLk.13224.bak? y
rm: /Volumes/BK1/Backups.backupdb/Orion/2017-03-18-184155/BOOT/var/du--sortedALLk.13224.bak: Operation not permitted

But it's far from an insurmountable problem. I think folks should assume that the additional step that the ransomware would have to go through (which I'm familiar with but choosing not to publicize - I'd rather not help script kiddies) to be able to delete or encrypt TM backups is something most Mac ransomware you're likely to become infected with will be programmed to take.

Time Machine users are encouraged to allow backups to run often, which makes them quite vulnerable to ransomware.

Therefore some backup drives should be connected less often and kept more secure - not fully accessible to the system - specifically to protect from ransomware.

Typically, victims realize they've been infected with ransomware only when the ransomware announces its presence. So it's likely you won't be able to tell that a computer is infected with ransomware before it has a chance to encrypt the data on a frequently or continuously connected external drive. Assuming otherwise is far from a safe assumption. The ransomware threat makes better disaster preparedness, including having more numerous offline physical backups, more important.

Related Question