This article has been created to explain what are Mac ransomware types of viruses, how to remove them and how you can try and restore files, encrypted by such virus on your Mac.
Ransomware infections have been going around for some time now and they have been spreading at an alarming rate. What is interesting is that during the past few years we have also seen ransomware viruses designed to attack Mac systems as well. While some of the viruses like the Padlock virus were from the screenlocker type, some viruses, like KeRanger we have also detected to directly encrypt the files on the Macs that were compromised. In this article we aim to explain in detail how you can deal with ransomware viruses for Macs and how you can try and recover your files if you have not made a backup.
How Does a Mac Ransomware Virus Encrypt Your Files
Encryption by theory is basically the process of enciphering data so that only users with access can unlock and read this data. This means that when a ransomware virus infects your Mac, it will run a set of scripts and processes that will attack the file structure of your files. Usually, there are a lot of encryption algorithms and they have evolved over the past few years, but the main ones in use by ransomware viruses are RSA (rivest-shamir adleman) and AES(advanced encryption standard) algorithms. They aim to either overwrite the file or delete it and create it’s encrypted copy on the victim’s compuer. Then, the ransomware virus creates a decryption key which is either a symmetric key or a private key. The newest trend with ransomware viruses nowadays is to use combination of several encryption algorithms to make decryption this more difficult. For more info on how ransomware encryption works, you can check the following article underneath:
Related: Ransomware Encryption Explained – Why Is It So Effective?
How to Try and Recover Encrypted Files on Your Mac (Methods)
After we have explained to you what encryption is, now it is time to explain what options do you have to get them to work once again. In the accordion below, we have created different methods that aim to help you by explaining what you can do to try and recover your files. To lift your hope, we will say that based on the type of virus which demolished your files and on the situation at hand, you may recover all your files, but do not raise your hopes that high, because you may also not be able to recover your data. And before you begin reading about the decryption methods underneath, we recommend that you try and use the method that is most appropriate for your situation. Let’s start!
| Method | By using a Data Recovery App. |
| Appropriate Situation | When there is no decryption available for the ransomware, but you can still use Windows to install and run software. |
| Instructions Difficulty | Easy |
In some cases, the easiest methods to cope with file encryption is to go around it and focus on your Mac’s drive. In order for this to succeed, it is important that you should not refresh your Mac or wipe your drive anew, because this will significantly decrease your chances of recovering files. Furthermore, you should also know that there are many data recovery programs out there, but we have decided to use what we believe is a tool that is very capable of doing the job for you – Stellar Phoenix Mac Data Recovery Pro. For more information on the program, you can read our software review of it underneath:
Related: Stellar Phoenix Mac Data Recovery Pro – Review
Here is how you can try and restore your files by using this program:
Step 1: Download Stellar Phoenix Mac Data Recovery.
Step 2: Open the downloaded file on you Mac’s Browser.
Step 3: Install Stellar Phoenix Mac Data Recovery. Accept any agreements if prompted.
Step 4: Wait for the program to start, after which select what types of files you wish to recover and click Next:
Step 5: Select the recovery location to an external drive or your default Macintosh Hard Drive (Macintosh HD) and click on Scan:
Step 6: Select the disk which you want to scan by clicking on It to mark it. You can also select an external drive which is affected and you can also tick the “Deep Scan” option which will take significantly more time, but will look to recover files in higher detail and we highly recommend ticking it. After you have selected your preferences, click on the Scan button:
Step 7: Wait for the scan to complete. It may take some time:
Step 8: After the scan has finished, simply select the files you want to recover and then click on the “Recover” button:
At this point, the program will begin recovering your files and when it has finished in doing that, it will notify you of this by asking you where you want to save a backup copy.
| Method | By using Apple iCloud. |
| Appropriate Situation | When you have copies of your files in iCloud drive. |
| Instructions Difficulty | Easy |
Step 1: Sign in to iCloud.
Step 2: Open the Settings.
Step 3: When you enter the Settings, scroll down and you will see the the “Advanced” menu. On it, click on “Restore Files”, like shown below:
Step 4: You will see a list of files to restore. Mark them with your mouse and then click on “Restore”.
Step 5: Wait for iCloud to restore your files and after it’s ready click on “Done”.
After the recovery is complete, you should be able to find the restored files on your iCloud drive. This can also help if you have accidentally deleted files from your iCloud drive as well.
| Method | By using Apple Time Machine |
| Appropriate Situation | When you have setup Time Machine. |
| Instructions Difficulty | Easy |
Step 1: Open Time Machine by clicking on the refresh icon on the top right and clicking on “Enter Time Machine”.
Step 2: Either navigate to previous versions of your Mac in different time or choose a restore point from the bars on the bottom right, next to the navigation arrows:
Step 3: Select a file, you want to restore by marking it with your mouse. Use the bottom-right arrows to select the date from which you want to restore it. After you have done this, click on the Restore button on the bottom right of your screen and the files will automatically restore:
Ventsislav Krastev
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Follow Me:
Steps to Prepare Before Removal:
Before starting to follow the steps below, be advised that you should first do the following preparations:
- Backup your files in case the worst happens.
- Make sure to have a device with these instructions on standy.
- Arm yourself with patience.
- 1. Scan for Mac Malware
- 2. Uninstall Risky Apps
- 3. Clean Your Browsers
Step 1: Scan for and remove Mac Ransomware files from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as Mac Ransomware, the recommended way of eliminating the threat is by using an anti-malware program. SpyHunter for Mac offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Quick and Easy Mac Malware Video Removal Guide
Bonus Step: How to Make Your Mac Run Faster?
Mac machines maintain probably the fastest operating system out there. Still, Macs do become slow and sluggish sometimes. The video guide below examines all of the possible problems that may lead to your Mac being slower than usual as well as all of the steps that can help you to speed up your Mac.
Step 2: Uninstall Mac Ransomware and remove related files and objects
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
2. Find Activity Monitor and double-click it:
3. In the Activity Monitor look for any suspicious processes, belonging or related to Mac Ransomware:
4. Click on the "Go" button again, but this time select Applications. Another way is with the ⇧+⌘+A buttons.
5. In the Applications menu, look for any suspicious app or an app with a name, similar or identical to Mac Ransomware. If you find it, right-click on the app and select “Move to Trash”.
6. Select Accounts, after which click on the Login Items preference. Your Mac will then show you a list of items that start automatically when you log in. Look for any suspicious apps identical or similar to Mac Ransomware. Check the app you want to stop from running automatically and then select on the Minus (“-“) icon to hide it.
7. Remove any leftover files that might be related to this threat manually by following the sub-steps below:
- Go to Finder.
- In the search bar type the name of the app that you want to remove.
- Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
- If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove Mac Ransomware via Step 1 above:
In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:
1. Click on "Go" and Then "Go to Folder" as shown underneath:
2. Type in "/Library/LauchAgents/" and click Ok:
3. Delete all of the virus files that have similar or the same name as Mac Ransomware. If you believe there is no such file, do not delete anything.
You can repeat the same procedure with the following other Library directories:
→ ~/Library/LaunchAgents
/Library/LaunchDaemons
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 3: Remove Mac Ransomware – related extensions from Safari / Chrome / Firefox
Mac Ransomware-FAQ
What is Mac Ransomware on your Mac?
The Mac Ransomware threat is probably a potentially unwanted app. There is also a chance it could be related to Mac malware. If so, such apps tend to slow your Mac down significantly and display advertisements. They could also use cookies and other trackers to obtain browsing information from the installed web browsers on your Mac.
Can Macs Get Viruses?
Yes. As much as any other device, Apple computers do get malware. Apple devices may not be a frequent target by malware authors, but rest assured that almost all of the Apple devices can become infected with a threat.
What Types of Mac Threats Are There?
According to most malware researchers and cyber-security experts, the types of threats that can currently infect your Mac can be rogue antivirus programs, adware or hijackers (PUPs), Trojan horses, ransomware and crypto-miner malware.
What To Do If I Have a Mac Virus, Like Mac Ransomware?
Do not panic! You can easily get rid of most Mac threats by firstly isolating them and then removing them. One recommended way to do that is by using a reputable malware removal software that can take care of the removal automatically for you.
There are many Mac anti-malware apps out there that you can choose from. SpyHunter for Mac is one of the reccomended Mac anti-malware apps, that can scan for free and detect any viruses. This saves time for manual removal that you would otherwise have to do.
How to Secure My Data from Mac Ransomware?
With few simple actions. First and foremost, it is imperative that you follow these steps:
Step 1: Find a safe computer and connect it to another network, not the one that your Mac was infected in.
Step 2: Change all of your passwords, starting from your e-mail passwords.
Step 3: Enable two-factor authentication for protection of your important accounts.
Step 4: Call your bank to change your credit card details (secret code, etc.) if you have saved your credit card for online shopping or have done online activiites with your card.
Step 5: Make sure to call your ISP (Internet provider or carrier) and ask them to change your IP address.
Step 6: Change your Wi-Fi password.
Step 7: (Optional): Make sure to scan all of the devices connected to your network for viruses and repeat these steps for them if they are affected.
Step 8: Install anti-malware software with real-time protection on every device you have.
Step 9: Try not to download software from sites you know nothing about and stay away from low-reputation websites in general.
If you follow these reccomendations, your network and Apple devices will become significantly more safe against any threats or information invasive software and be virus free and protected in the future too.
More tips you can find on our MacOS Virus section, where you can also ask any questions and comment about your Mac problems.
About the Mac Ransomware Research
The content we publish on SensorsTechForum.com, this Mac Ransomware how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific macOS issue.
How did we conduct the research on Mac Ransomware?
Please note that our research is based on an independent investigation. We are in contact with independent security researchers, thanks to which we receive daily updates on the latest malware definitions, including the various types of Mac threats, especially adware and potentially unwanted apps (PUAs).
Furthermore, the research behind the Mac Ransomware threat is backed with VirusTotal.
To better understand the threat posed by Mac malware, please refer to the following articles which provide knowledgeable details.