Ransomeware

Discussion in 'macOS' started by Lodesman, Nov 28, 2016.

  1. Lodesman macrumors regular

    Lodesman

    Joined:
    Feb 4, 2014
    Location:
    Folkestone, Kent, UK
    #1
    Bit of a fuss on TV this morning (UK) about ransomware.

    My Mac runs El Cap protected by Macafee (free with my ISP). I am careful about not opening emails with attachments I don't recognise.

    How vulnerable should I feel ?
     
  2. Phil A., Nov 28, 2016
    Last edited: Nov 28, 2016

    Phil A. Moderator

    Phil A.

    Staff Member

    Joined:
    Apr 2, 2006
    Location:
    Shropshire, UK
    #2
    Just continue to be careful about opening unknown attachments or downloads and make sure you have good offline backups

    It's safest to view a ransomware event as a "when", not an "if" (just like you should view a hard disk failure) and to make sure you're well equipped to deal with it with multiple offline backups (so the backups can't be encrypted). That way, if you ever do fall prey to one, you won't suffer. The alternative of thinking it will never happen and not preparing for it leaves you vulnerable if you get hit by one
     
  3. Lodesman thread starter macrumors regular

    Lodesman

    Joined:
    Feb 4, 2014
    Location:
    Folkestone, Kent, UK
    #3
    Thanks Phil A. Especially your advice about offline backups.

    To date I have my TM backup ext HDD permanently connected. I think I'll pick up a small Ext HDD for offline backups.
     
  4. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #4
    To date, ransomware has only been an issue with windows AFAIK, though that could possibly change at any time. As mentioned, safe computing habits should limit the risk. I'm hoping the security features in OS X, and its underlying Unix system also protects us
     
  5. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #5
    Multiple backups – at least one offline backup – is the only defence against ransomware. There is not anything peculiar or advanced about ransomware, it is simply malicious software that encrypts the user’s files. Unless the executable is sandboxed or runs as a different user, your files can be read and written to.
     
  6. martint235 macrumors regular

    martint235

    Joined:
    Apr 13, 2016
    #6
    Yup I've got a couple of offline backups. Not had any ransomware yet but if I do, it's just a simple re-install of Windows.
     
  7. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #7
    The thing that scares me is that ransomeware can lay dormant for a period of time, and then activate. That means backups are infected and you won't even know it.
     
  8. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #8
    That is true. Presumably, the best defence would be to move older, unneeded files to an external drive and make backups of that drive with a separate system, such as a locked-down version of Linux or OpenBSD, unconnected to the Internet. If you have a DVD drive, you can also burn them of course (though a bit trickier with encryption, as you can never change the encryption key after the data was burned to disc).
     
  9. martint235 macrumors regular

    martint235

    Joined:
    Apr 13, 2016
    #9
    Ransomware isn't about "infection" per se. The idea is the software is loaded and executed and then encrypts all your files so that you can't access them. The encryption is removed when you pay them money.

    If you can open a file before you back it up, then the backup won't be encrypted. I'm sure there are some clever hackers out there with ways round this but your bog standard Ransomware writer will just encrypt My Documents, My Pictures etc.
     
  10. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #10
    But it is
    http://www.networkworld.com/article...infected-pcs-until-this-week-report-says.html

     
  11. elf69 macrumors 65816

    elf69

    Joined:
    Jun 2, 2016
    Location:
    Cornwall UK
    #11
    malwarebytes make an anti ransomware program for windows.
    It loads as windows does on boot.

    It works really well and stops the dreaded crypto virus getting your files.

    no version for mac yet though.

    I use time machine on all my macs and disconnect drive after a back up so should be ok.
     
  12. martint235 macrumors regular

    martint235

    Joined:
    Apr 13, 2016
    #12
    Still not infection, it's not entering the actual files and lying dormant, it's dormant on the PC. If you've backed up your files before it wakes, that back up is safe. You just need to ensure that when you're restoring from back up you don't bring it with you.

    EDIT just to be clear I count infection as a file that either inserts itself into your files or into the registry. For ransomware, once you've reinstalled your OS the ransomware is gone.
     
  13. JohnDS macrumors 65816

    Joined:
    Oct 25, 2015
    #13
    Presumably if you had a backup, you could set the clock back on your computer and remove the ransomware from the backup.
     
  14. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #14
    I don't know what the trigger is, but that might be a possibility, the fact remains that these types of malware are becoming more insidious and even backups may not be safe.

    So far the fact remains that OS X appears to be largely untouched, whether because those malware authors choose to focus on windows, or because OS X has set up safeguards - or a mixture of two.
     
  15. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #15
    There was a rare instance of a Mac targeting ransomware earlier this year - KeRanger. A signed installer for a BitTorrent client, Transmission, was used as its pathway. There was evidence in the code, though possibly not fully developed, that Time Machine appeared to be an included target. KeRanger's code included a three day delay before it would begin connecting with its control servers, then would begin to encrypt certain user files.

    http://researchcenter.paloaltonetwo...ted-transmission-bittorrent-client-installer/
     
  16. TPadden macrumors 6502a

    Joined:
    Oct 28, 2010
    #16
    Can a Bitlocker encrypted drive be "touched"?
     
  17. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #17
    you mean encrypt data that sits on an encrypted drive, I can't see why not. At the application level, the data appears to be unencrypted because the OS is handling the decryption.
     
  18. Phil A. Moderator

    Phil A.

    Staff Member

    Joined:
    Apr 2, 2006
    Location:
    Shropshire, UK
    #18
    Yes, if it's mounted - as @maflynn says, at application level it's unencrypted
     
  19. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #19
    I do not think that it would that be easy for a malware to touch Time Machine without root privileges. I remember reading that there are measures even at the kernel level that prevent mere users from writing to the Time Machine disk at all. As far as Time Machine goes, you will probably be secure as long as there are no vulnerabilities in Time Machine or the malware obtains root privileges. It is plausible that a malware could fill the computer with useless data to cause it to delete old backups though.

    It deserves mentioning that once again, running as a standard user for 99.9% of the time is good advice.
     
  20. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #20
    At the time of the incident, Dino Dai Zova tweeted this :
    https://mobile.twitter.com/dinodaizovi/status/706723421116362752

    I'm not quoting this as an appeal to authority but as a possible clue for research. I haven't yet found any confirmation for the claim.
     
  21. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #21
    That’s exactly what I read about. I came across this when I tried to remove a specific file from all Time Machine backups via the tmutil command-line program, similar to the function in the Time Machine application. It turns out that the Time Machine application is the only application capable of this. Older Time Machine backups are effectively untouchable, as long as the disk remains mounted as root and the kernel extension is active.
     
  22. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #22
    McAfee won't make you much less vulnerable... it pretty thoroughly sucks on the Mac. ;)

    As for ransomware, currently there isn't any on the Mac. As has been mentioned, there was one - KeRanger - but it is extinct at this point.

    Still, new ransomware could appear at any time, so you need to be prepared with good backups. Time Machine is a good start, although it's better for more generalized data loss, and not ideal against ransomware. It is possible for ransomware to tamper with Time Machine backups.

    There has been some speculation that Time Machine backups can't be modified, but that's not actually true... I've known people to delete files from their Time Machine backups in the Finder, which can pretty thoroughly screw up the backup as a whole, often requiring erasing the backup drive and starting over from scratch. So it would definitely be possible for ransomware to damage your Time Machine backups, if they're connected to your computer when ransomware strikes.

    My solution is to use Time Machine - for its convenience - as a primary backup. I also maintain a couple other, separate backups made with Carbon Copy Cloner. One of those always lives in the safe deposit box at the bank, the other is hidden around the house. I keep the one here updated frequently, and about once a month or so, I swap them, so the one in the safe deposit box is never more than a couple months old.

    This protects me against ransomware, as well as against all manner of other threats - theft, fire, etc.
     
  23. Lodesman thread starter macrumors regular

    Lodesman

    Joined:
    Feb 4, 2014
    Location:
    Folkestone, Kent, UK
    #23
    Thanks for all the input, I appreciate it, along with the advice.
     
  24. rshrugged macrumors 6502a

    Joined:
    Oct 11, 2015
    #24
  25. mkeeley macrumors 6502

    Joined:
    Sep 18, 2007
    #25

Share This Page