What is ransomware and how to get rid of it

Ransomware. The very word sounds ominous. And with good reason. Ransomware attacks are particularly nasty because they prey on users’ fears and are designed to scare them into handing over money. The threats made in order to extort payment can be publishing personal data, exposing online activity, or encrypting data in order to prevent the user from accessing it. Sadly, ransomware on the Mac isn’t unheard of.

How do ransomware attacks work?

Ransomware can infect your Mac in the same way as any other malware. Usually, the user clicks on a link in an email or opens a webpage that contains the malicious code. Often, the code masquerades as an update to, say, Adobe Flash. And, like other malware, it can often present itself as an important security update. So, for example, you might open a webpage that then launches a pop-up page or tab that warns you that your computer is insecure and that you must download an update to fix it. That update contains the malicious code.

Once the code has been downloaded to your computer, it displays a message warning you that something bad will happen if you don’t comply with the hackers request. One well known ransomware attack in 2017, known as WannaCry, targeted Windows computers and encrypted files on infected machines then demanded ransom payments in Bitcoin to unencrypted them.

Another form of ransomware attack involves spamming potential victims with an email message claiming to have proof that they have visited porn websites and even images from their webcam taken during the time they were voting the sites. The email then demands payment in return for deleting the ‘proof.’ In this case, the supposed proof doesn’t exist and no malware has been downloaded to the user’s computer — unless they click a link in the email message.

How can I protect my Mac from ransomware?

The best Mac ransomware protection is to be vigilant and use common sense.

  1. Don’t click on any link in an email message unless you’re certain of where the email has come from and where the link will lead
  2. Don’t click on links on pop-up windows or tabs that try to scare you into downloading an update or patch
  3. Use and ad-blocker in your web browser
  4. Install official patches and updates to macOS as soon as they become available
  5. Keep your web browser up to date by installing updates as soon as possible
  6. Scan your Mac for malware regularly. You can do this using an antivirus tool such as BitDefender or, if you’re using a Mac, by running CleanMyMac X’s malware tool. 
Removing malware files

CleanMyMac X has a database of known malware that’s updated frequently. The malware tool scans your Mac and compares what it finds with the database. If there’s a match, it offers to remove the malware for you and all you have to do is press a button.

Mac ransomware removal

Firstly, don’t ever click on a link on the message that tries to extort money from you. Ignore it. Close the window or tab in your web browser or mark the email message as junk.

Next, scan your Mac for malware. You can do this using an antivirus tool. There are several antivirus tools available for Mac that will scan your computer for free. Some will also remove any malware they find for free. Others require you to pay for a full version of the software in order to remove what they find. Alternatively, on a Mac, you can use CleanMyMac X’s malware removal tool. It’s very quick and easy to use.

If you’ve used and antivirus tool and are still having problems, google the symptoms, including the text of the warning message. You won’t be the only computer user to have been attacked in this way and others may have found and share a solution. Make sure, however, that you only follow suggestions from websites you trust, such as well known tech sites.

What if I’m locked out of my Mac completely

Some ransomware attacks lock you out of your Mac. They will force your Mac to restart and, when it does, present you with a screen demanding an unlock code before you can proceed. The hackers will tell you the only way to get that code is to meet their demands. Don’t. Instead, do this.

  1. Take your Mac and proof of purchase to an Apple Authorised Service provider. They should be able to unlock it from Lost mode, once you’ve proved it’s yours
  2. Change your iCloud password. If the hackers have accessed your Mac, it’s possible they have your iCloud password
  3. Turn on two-factor authentication if you haven’t already done so. It will protect other devices connected to your iCloud account.

What if I can’t access my files?

If you’ve been the victim of a ransomware attack that has encrypted files on your computer (no Mac ransomware has done this yet, but the WannaCry Windows attack did it), you should try and restore them from a backup. First, though, follow the steps above to remove the ransomware. Then delete the encrypted files.

Once you’ve done that, if you use Time Machine you can simply launch Time Machine from the menu bar on your Mac, navigate to a point in time before you were attacked and find the files then hit Restore. If you use another backup tool or service, follow its instructions to restore your files.

If you don’t currently backup your data on a regular basis, now is the time to start. It won’t stop ransomware attacks, but it will mean you can replace encrypted files with copies if you need to. Ideally, you should have a regular backup schedule that backs up to two locations, one local and one remote.

What if I have already clicked a link or paid money?

You should still follow the steps above to remove the ransomware. Sadly, scammers are greedy and prey on those they consider to be ‘easy’ targets. If you’ve already paid up, or even clicked a link, you will, unfortunately, now be in that category and will be targeted. It’s even more important to scan your computer regularly (we advise using CleanMyMac X) and be vigilant in the future.

You should also consider reporting the attack to the authorities. While you may be embarrassed to have fallen victim to a scam, or the details of the scam itself may be embarrassing, extortion is a serious crime in most countries. Many countries now have dedicated units to deal with fraud and within those are cybercrime units, specialists in dealing with this kind of crime.

Ransomware is a particularly nasty type of malware because it preys on fear. It’s designed to scare you into paying money, either to prevent something happening or restore access to your data or computer. Whatever you do, never pay the ransom, it will only make you a target for another attack. Take the steps outlined here to protect yourself, or if you’ve been hit by ransomware, to remove it. And make sure you backup your data regularly to you can restore files if you need to.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.