How to remove ransomware from Mac: an ultimate guide

There were days when Macs were malware-free. Unfortunately, these days are long gone. In fact, according to recent research conducted by Malwarebytes, Mac computers are an even more attractive target for malware than Windows PC. You may be wondering why, and the answer is pretty simple: there is a belief that Mac owners have higher incomes. It is when ransomware comes into play. In this article, we’ll explain what it is and, more importantly, how to prevent ransomware attacks.

What is ransomware? 

Ransomware is a particularly nasty type of malware. Cybercriminals design it to prey on users’ fears and scare them into handing over money. The threats made in order to extort payment can be publishing personal data, exposing online activity, or encrypting data in order to prevent the user from accessing it. Sadly, ransomware on Mac isn’t unheard of. Here are some examples you may have heard of:

  • FBI scam. It was a pop-up in a browser claiming that FBI officials blocked the user’s browser and demanding that they pay for unblocking it. Safari users falling victim to this ransomware indeed had their browsers even after force-quitting it.
  • ThiefQuest. This ransomware was spread via pirated copies of Mixed In Key 8 and Little Snitch downloaded via torrent. It encrypted some settings and keychain files. 
  • Patcher. Posing itself as a cracking tool for Microsoft Office and Adobe Premiere CC for Mac, but encrypted all of the user’s files and demanded 0.25 Bitcoin for decrypting the data. Even after the ransom has been paid, users never receive decryption keys. 

How to detect ransomware

There are several symptoms of ransomware. One of them is seeing a pop-up that your data is encrypted with a ransom demand, but this is not always the case. If you see it in a browser, you should first try to force quit and launch it again without reopening browser tabs. If you no longer see the pop-up, it may have been a scam trying to trick you into downloading something malicious.

Other signs include:

  • Alerts from your antimalware software if you have one installed on Mac
  • Anomalies in your computer’s behavior (sudden drops in performance or strange network activities)
  • Noticing that file extensions have changed — it is a tell-tale sign of ransomware infection, but it is a late one.

How to remove ransomware

Now, we’ll show you how to remove ransomware virus from Mac. Note, though, that some ransomware deletes itself after encrypting your data, while others may stay on your computer in an attempt to infect other devices.

Here are the steps for ransomware removal:

  1. Disconnect your computer from the internet in order to prevent the further spread of the infection.
  2. Disconnect all devices that may have been infected: external drives, cloud storage accounts, smartphones, and tablets.
  3. Run a Mac virus scan with a dedicated antimalware app. Make sure to invest in a safe cleaner in order to avoid downloading even more malicious software.

You can try to search for advice on manual removal on forums, but it requires profound background knowledge, so it is better to prevent ransomware attacks. Keep on reading to find out how to do it.

How to prevent ransomware attacks?

The best Mac ransomware protection is to be vigilant and use common sense. Some basic tips — such as not clicking on links in emails or pop-ups and installing official software — work pretty well. More recommendations can be found here. We have some other tips for you, though.

How does Apple prevent ransomware on Macs

Given the severity of the threats connected with ransomware, Apple has come up with built-in features that can help prevent these attacks. These are based on the three levels of defense:

  1. XProtect — built-in antimalware software
  2. Gatekeeper — the functionality ensuring that only trusted software can run on your Mac
  3. Notarization — the process of reviewing code (basically, a malware-scanning service)

These three are designed to work together and prevent the launch of malware in the user’s system as well as ensure that malware attacks cannot be executed.

More than that, with each macOS update, Apple releases important security patches that improve the operation of these three layers of defense. For this reason, it is crucial to ensure that you always run the latest macOS version. Here’s how:

  1. Go to Apple menu > System Settings.
  2. Navigate to General > Software Update.
  3. If there is one available, follow the on-screen instructions to install it
System Preferences - Software Update

How to protect your Mac from ransomware with CleanMyMac X

The system for Mac protection developed by Apple is sophisticated; unfortunately, it is not effective enough to protect your Mac from all of the malware and viruses out there. For this reason, it is recommended to invest in a trusted antimalware tool. There are many alternatives you can choose from, but we recommend CleanMyMac X. Not only is it notarized by Apple, but it also has a large database of the most recent malware and threats, meaning that you won’t fall victim to even the latest attacks.

Here’s how to remove ransomware from Mac with CleanMyMac X: 

  1. Download the app for free here
  2. Once you’ve installed it, open the app and navigate to Malware Removal in the sidebar. 
  3. Click Scan.
  4. If CleanMyMac X finds anything, click Remove. Otherwise, you’ll get a clean bill of health.
Removing malware files

CleanMyMac X also has a tool for real-time malware protection. This way, it scans your system in the background 24/7 and notifies you of any threats trying to sneak onto your Mac.


If you want to learn more tips, check this article about how to remove malware and viruses from Mac here.

Other ways to protect your Mac from ransomware

In addition to common sense, using Apple’s built-in defense system, and running virus scans, there are some other ways to protect your Mac: 

  1. Install trusted software — download it from either App Store or trusted developers. In the latter case, go to the developers’ official website and do some research before downloading any apps. 
  2. Keep macOS and software up to date — security patches released with newer versions may prevent infection with malware. 
  3. Turn on two-factor authentication if you haven’t already done so — it is an additional layer of protection.
  4. If you were locked out of your Mac completely, take it to the Apple Authorized Service provider — they should know how to deal with the issue. 
  5. Regularly back up your data — even in the case of having your files encrypted, you’ll be able to restore it.

    If you’ve fallen victim to a ransomware attack, report it, especially if you’ve paid the ransom. Embarrassing as it might be, it may be a way to have your money back because extortion and fraud are taken seriously in many countries.

Ransomware is a particularly nasty type of malware because it preys on fear. It’s designed to scare you into paying money to either prevent something from happening or restore access to your data or computer. Whatever you do, never pay the ransom — it will only make you a target for another attack. Take the steps outlined here to protect yourself, or if you’ve been hit by ransomware, to remove it. And make sure you back up your data regularly so you can restore files if you need to.

Frequently asked questions

What is ransomware attack?

A ransomware attack is a process of actually releasing ransomware into the wild. But how does it work? Basically, just like any other malware — by tricking the user into clicking a malicious link or downloading an infected piece of software.

How can ransomware be delivered?

Commonly, the user clicks a link in an email or opens a webpage that contains malicious code. Often, the code masquerades as an update to, say, Adobe Flash. And, like other malware, it can often present itself as an important security update.

Can antivirus detect ransomware?

It depends. Known ransomware is detected by most antivirus apps; however, the newest ones may remain undetected for a long time. That’s why it is crucial to invest in cleaner software with a constantly updated database of viruses — like the Malware Removal tool in CleanMyMac X.

How to remove ransomware virus and restore the files?

The easiest way to remove ransomware is to use a dedicated antivirus app. Once it is removed, you can restore files from a backup. Unfortunately, most files encrypted by ransomware cannot be decrypted, not to mention that paying the ransom does not guarantee that cybercriminals recover your files. As a final resort, look for local professional ransomware recovery services.

Laptop with CleanMyMac
CleanMyMac X

Your Mac. As good as new.