Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

First Mac ransomware had sights on encrypting backups, too

Gregg Keizer | March 8, 2016
Hackers never finished the feature, but evidence suggests they wanted to guarantee Mac owners paid the US$400 ransom.

One way to avoid paying such extortionists is by restoring the system using recent backups.

Ransomware writers now typically disable Windows' "System Restore" feature, which regularly takes snapshots of the PC, then lets the user return to that milestone, said Olson. It's less common for ransomware to explicitly target backups on Windows, however, perhaps because the operating system's integrated Backup functionality is little used and scores of alternatives vie for market share.

"Some Windows ransomware will encrypt backups as well as the main drive," said Reed, although he acknowledged the practice was not widespread.

Reed, who authors Malwarebytes Lab's official blog,, pointed out that Time Machine backups are "infamously fragile," and it's possible that had the hackers implemented an encrypt-all-external-backups feature in KeRanger, users would have found their backups trashed, not just locked up. In that case, paying the ransom wouldn't have done any good, at least for the backups.

"As long as you're respectful of it, and using Time Machine to do restoration, you're good," said Reed. "But if you go messing with Time Machine backups with another app, you can break the whole thing, so you can't restore at all."

While there may not be much that Apple could do to prevent Time Machine backups from being encrypted by hackers -- Reed said that KeRanger would have spotted any drive "mounted" to the Mac, a task that Time Machine does in the background when it initiates a scheduled backup -- Mac users can recover a ransomware-locked system if they have multiple backups, both Olson and Reed said.

"Ideally, you should have multiple backup systems, with only one connected to your computer at one time," said Reed. "Redundancy is good."

Storing one backup offsite is also a good idea, added Olson, a tip that ensures data survivability in case of natural disaster, theft or fire.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.