There were days when Macs were malware-free. Unfortunately, these days are long gone. In fact, according to recent research conducted by Malwarebytes, Mac computers are an even more attractive target for malware than Windows PC. You may be wondering why, and the answer is pretty simple: there is a belief that Mac owners have higher incomes. It is when ransomware comes into play. In this article, we’ll explain what it is and, more importantly, how to prevent ransomware attacks.

What is ransomware? 

Ransomware is a particularly nasty type of malware. Cybercriminals design it to prey on users’ fears and scare them into handing over money. The threats made in order to extort payment can be publishing personal data, exposing online activity, or encrypting data in order to prevent the user from accessing it. Sadly, ransomware on Mac isn’t unheard of. Here are some examples you may have heard of:

  • FBI scam. It was a pop-up in a browser claiming that FBI officials blocked the user’s browser and demanding that they pay for unblocking it. Safari users falling victim to this ransomware indeed had their browsers even after force-quitting it.
  • ThiefQuest. This ransomware was spread via pirated copies of Mixed In Key 8 and Little Snitch downloaded via torrent. It encrypted some settings and keychain files. 
  • Patcher. Posing itself as a cracking tool for Microsoft Office and Adobe Premiere CC for Mac, but encrypted all of the user’s files and demanded 0.25 Bitcoin for decrypting the data. Even after the ransom has been paid, users never receive decryption keys. 

So, how common is ransomware, and why is it so dangerous?

Ransomware on a Mac is unfortunately becoming a more dangerous phenomenon which is bad news for businesses. In 2024, it became the number one global malware threat causing over $30 billion worth of damage to businesses and organizations worldwide. Some notable examples include RYUK and WannaCry.

Ransomware doesn’t discriminate. As well as businesses, it can hit government agencies, schools, hospitals, and critical infrastructure. It is easy for criminals to implement. Make it once and then spread it everywhere. And the ransomware removal process all hinges on a decryption key that the criminals promise to hand over if payment is made.

Due to AI and countries realizing it’s an effective form of weaponization against enemies, ransomware is only going to get much worse before it starts to get remotely better.

Here is a list of reasons why it is so difficult to stop ransomware, and why it’s so dangerous.

  1. When it hits a target computer and/or network, it’s extremely difficult to get rid of ransomware without paying the ransom demand or completely wiping the network, risking file loss.
  2. Even if you pay the ransom, you may not get the decryption key in return to remove the ransomware. And if you do get it, many files could be damaged or gone.
  3. When the network is down due to ransomware, it completely paralyzes everything. Hospitals can’t carry out critical medical procedures, companies are unable to serve clients (thereby losing money), and criminal courts are unable to hold trials and process cases.
  4. Before the ransomware encrypts the target files, they make copies and steal them. This leads to massive data theft, which would have catastrophic consequences for businesses and patient privacy issues for hospitals.
  5. Victims who pay get targeted again and again. If the criminals know that the company will pay, why not keep hitting them and get more money?

What happens during a ransomware attack?

Once the ransomware gets into a network (through various means such as phishing, bundled software, RAT’s, etc), then it doesn’t present itself right away. Its first job is to copy and steal files, and it can’t do that if it’s encrypted everything.

The victim is unaware that they’re being robbed under their very noses. Using remote access trojans (RAT), the criminals covertly take control of the network and steal everything in sight. This is then all moved out to an external server, via the victim’s wifi network.

Then it reveals itself and starts encrypting all the files. Any accessible backups are wiped. It will then put a message on the screen demanding a crypto payment within a certain timeframe, or the files will stay encrypted, leaked, or destroyed.

That’s when the victim has to decide – pay up and hope they get the decryption key. Or not pay up, and either lose all the files or wipe the system and reinstall everything?

How to detect ransomware

There are several symptoms of ransomware. One of them is seeing a pop-up that your data is encrypted with a ransom demand, but this is not always the case. If you see it in a browser, you should first try to force quit and launch it again without reopening browser tabs. If you no longer see the pop-up, it may have been a scam trying to trick you into downloading something malicious.

Other signs include:

  • Alerts from your antimalware software if you have one installed on Mac
  • Anomalies in your computer’s behavior (sudden drops in performance or strange network activities)
  • Noticing that file extensions have changed — it is a tell-tale sign of ransomware infection, but it is a late one.

Can you actually remove ransomware once infected?

When files are being encrypted by the ransomware, the target has a very short time window to start copying the ones that haven’t been encrypted yet. This is assuming, of course, that they know the threat is there in the first place.

Once the files have been encrypted, then it’s impossible to delete ransomware from a Mac without a decryption key, or wiping the whole network.

But while the files are still being encrypted, you have a chance to remove the ransomware by using CleanMyMac, powered by Moonlock Engine, if you act fast. However, once all the files are encrypted, getting the ransomware off the computer is impossible, and CleanMyMac is unable to decrypt files.

Malware removal module of CleanMyMac

How to remove ransomware

Now, we’ll show you how to remove ransomware virus from Mac. Note, though, that some ransomware deletes itself after encrypting your data, while others may stay on your computer in an attempt to infect other devices.

Here are the steps for ransomware removal:

  1. Disconnect your computer from the internet in order to prevent the further spread of the infection.
  2. Disconnect all devices that may have been infected: external drives, cloud storage accounts, smartphones, and tablets.
  3. Run a Mac virus scan with a dedicated antimalware app. Make sure to invest in a safe cleaner in order to avoid downloading even more malicious software.

You can try to search for advice on manual removal on forums, but it requires profound background knowledge, so it is better to prevent ransomware attacks. Keep on reading to find out how to do it.

How to prevent ransomware attacks?

The best Mac ransomware protection is to be vigilant and use common sense. Some basic tips — such as not clicking on links in emails or pop-ups and installing official software — work pretty well. More recommendations can be found here. We have some other tips for you, though.

How does Apple prevent ransomware on Macs

Given the severity of the threats connected with ransomware, Apple has come up with built-in features that can help prevent these attacks. These are based on the three levels of defense:

  1. XProtect — built-in antimalware software
  2. Gatekeeper — the functionality ensuring that only trusted software can run on your Mac
  3. Notarization — the process of reviewing code (basically, a malware-scanning service)

These three are designed to work together and prevent the launch of malware in the user’s system as well as ensure that malware attacks cannot be executed.

More than that, with each macOS update, Apple releases important security patches that improve the operation of these three layers of defense. For this reason, it is crucial to ensure that you always run the latest macOS version. Here’s how:

  1. Go to Apple menu > System Settings.
  2. Navigate to General > Software Update.
  3. If there is one available, follow the on-screen instructions to install it
System Preferences - Software Update

How to protect your Mac from ransomware with CleanMyMac

The system for Mac protection developed by Apple is sophisticated; unfortunately, it is not effective enough to protect your Mac from all of the malware and viruses out there. 

For this reason, it is recommended to invest in a trusted antimalware tool. There are many alternatives you can choose from, but we recommend CleanMyMac. Not only is it notarized by Apple, but it also has a large database of the most recent malware and threats, meaning that you won’t fall victim to even the latest attacks.

CleanMyMac looking for malware

Here’s how to remove ransomware from Mac with CleanMyMac: 

  1. Get started with a free CleanMyMac trial.
  2. Once you’ve installed it, open the app and navigate to Protection in the sidebar. 
  3. Click Scan.
  4. If CleanMyMac finds anything, click Remove. 


CleanMyMac also has a tool for real-time malware protection. This way, it scans your system in the background 24/7 and notifies you of any threats trying to sneak onto your Mac.

Tip

If you want to learn more tips, check this article about how to remove malware and viruses from Mac here.

Other ways to protect your Mac from ransomware

In addition to common sense, using Apple’s built-in defense system, and running virus scans, there are some other ways to protect your Mac: 

  1. Install trusted software — download it from either App Store or trusted developers. In the latter case, go to the developers’ official website and do some research before downloading any apps. 
  2. Keep macOS and software up to date — security patches released with newer versions may prevent infection with malware. 
  3. Turn on two-factor authentication if you haven’t already done so — it is an additional layer of protection.
  4. If you were locked out of your Mac completely, take it to the Apple Authorized Service provider — they should know how to deal with the issue. 
  5. Regularly back up your data — even in the case of having your files encrypted, you’ll be able to restore it.
    Important

    If you’ve fallen victim to a ransomware attack, report it, especially if you’ve paid the ransom. Embarrassing as it might be, it may be a way to have your money back because extortion and fraud are taken seriously in many countries.

Ransomware is a particularly nasty type of malware because it preys on fear. It’s designed to scare you into paying money to either prevent something from happening or restore access to your data or computer. Whatever you do, never pay the ransom — it will only make you a target for another attack. Take the steps outlined here to protect yourself, or if you’ve been hit by ransomware, to remove it. And make sure you back up your data regularly so you can restore files if you need to.

Frequently asked questions

What is ransomware attack?

A ransomware attack is a process of actually releasing ransomware into the wild. But how does it work? Basically, just like any other malware — by tricking the user into clicking a malicious link or downloading an infected piece of software.

How can ransomware be delivered?

Commonly, the user clicks a link in an email or opens a webpage that contains malicious code. Often, the code masquerades as an update to, say, Adobe Flash. And, like other malware, it can often present itself as an important security update.

Can antivirus detect ransomware?

It depends. Known ransomware is detected by most antivirus apps; however, the newest ones may remain undetected for a long time. That’s why it is crucial to invest in cleaner software with a constantly updated database of viruses — like the Protection feature in CleanMyMac.

How to remove ransomware virus and restore the files?

The easiest way to remove ransomware is to use a dedicated antivirus app. Once it is removed, you can restore files from a backup. Unfortunately, most files encrypted by ransomware cannot be decrypted, not to mention that paying the ransom does not guarantee that cybercriminals recover your files. As a final resort, look for local professional ransomware recovery services.