In early March of this year, the first fully functional ransomware attack coded for the Mac platform was launched. The malware had infected an official update for Transmission, the BitTorrent client application used by millions to illegally download content on P2P networks. While most in the pro audio industry likely considered the victims’ woes to be karmic justice for their theft of intellectual property, it was also immediately recognized that Mac users’ long-enjoyed invulnerability to ransomware attacks was now over. Ransomware can infect many types of files, not just BitTorrent applications.
For those not yet in the know, ransomware is malware that maliciously encrypts files on an infected computer, preventing the owner from accessing his or her data. The perpetrators demand a ransom (typically hundreds or thousands of dollars) be paid to them before they will decrypt the files. There is no guarantee the criminals will unlock your data after you pay up.
In this article, I’ll share some strategies for protecting your Mac from ransomware and, should the worst happen and your computer becomes infected, recovering your data without paying the criminals.
Obviously, your first line of defense against ransomware is never to download any files from a website you don’t completely trust. But that’s not always enough; after all, it was an official update for Transmission, posted on the manufacturer’s website, that was infected in March.
Your best insurance is to backup your data in a way that shields it from infection. While many (hopefully most) of us already backup our data to protect against unintentional file corruption or loss, ransomware attacks now impel us to alter our backup routines to address this new threat specifically.
In the case of the March attack, the ransomware (named KeyRanger) waited three days following infection before encrypting the computers’ files. (Other ransomware may encrypt on a different schedule.) Any backup drives (and cloud services) that were connected to the infected Mac and booted or synchronized during that period—or thereafter, until the malware was purged—were also potentially vulnerable to the hidden attack. While KeyRanger can’t currently encrypt a Time Machine backup, ransomware can potentially delete your backup to prevent data recovery. And restoring your data using a backup that unwittingly archived the malware only serves to re-infect your Mac.
Fig. 1. To protect your data backups from ransomware infection or deletion, keep Time Machine turned off and your backup drives powered down and disconnected in between backup operations. Because you might not realize your Mac was infected until days after you unknowingly archive the malicious code, frequently backing up to the same hard drive no longer provides reliable security. By backing up your data successively to alternate external drives, at spaced intervals in time, you increase the odds that one of your backups will remain intact and uninfected after an attack. Power down and disconnect your backup drives in between backups to limit the amount of time they’re potentially exposed to infection (see Figure 1).
Fig. 2. Carbon Copy Cloner can make an exact clone—on a bootable drive—of your boot drive. Unlike with using Time Machine, versioned backups are not possible but data recovery is instantaneous on boot. My long-standing backup routine has involved alternately using Time Machine and Bombich Software’s Carbon Copy Cloner to make backups of my data to separate external (USB or FireWire) drives. Each application has its benefits: In a nutshell, Carbon Copy Cloner can make a bootable backup copy of your data’s most recent state, while Time Machine can’t use a booting drive but saves multiple updates of your data somewhat like the way DAWs record an Undo History (see Figure 2). (For more details on the benefits of using both Time Machine and Carbon Copy Cloner, please see my article “In Recovery” in the February 2012 issue of Electronic Musician.)
In light of the new ransomware threat to Macs, I now backup once daily to Time Machine—alternating between two external drives—and only once per week using Carbon Copy Cloner (on a third external drive).
RECOVERY AFTER AN ATTACK
Apple has incorporated various security features into OS X to help protect Macs from malware attacks, but that didn’t initially stop the KeyRanger attack in March. Should your Mac become infected and an Apple fix isn’t forthcoming, you have two options to consider using before attempting to restore your data from an external backup drive: Erase the infected drive by overwriting its partition table with zeros, or discard the infected drive and replace it with a new, pristine drive. Because you can’t wipe a boot drive without booting from another drive—and risking it also getting infected—I feel safer replacing the infected drive altogether.
Next, you’ll want to restore your backup data to your new drive. You need to determine which backups were unlikely to have been exposed to the ransomware. First, use trusted online resources to learn how soon the ransomware encrypts files after infecting computers; these details usually become available within 48 hours after an attack. Then review the backup schedule you used for each external drive, and use a backup that predates when your Mac was infected.
If you used Time Machine to make daily backups, the last few made prior to the ransomware encryption might have been infected. If you deem your weekly Carbon Copy Cloner (CCC) backup to be unaffected, boot your Mac from the CCCbackup drive. You can continue to use the CCCbackup drive as your boot drive as long as you like. You can also use CCC again to backup your existing CCC clone to your new drive.
The main drawback to using a weekly CCC backup to restore your data is you could lose as much as a week’s worth of work. If you have a Time Machine backup that is more recent but which predates the ransomware infection, you can use that instead to restore your files. Because a Time Machine backup drive isn’t bootable, you’ll need to boot your Mac from your CCC-backup drive and launch Time Machine from it. Then use the most recent Time Machine backup you know to be uncorrupted to restore your data—including your System—to your new drive.
Mac users can no longer assume that ransomware attacks will only affect Windows users. Be safe. Develop an alternating backup routine and use it.