Home > Mac Viruses > Mac Ransomware – How to Restore Encrypted Files

Mac Ransomware – How to Restore Encrypted Files

This article has been created to explain what are Mac ransomware types of viruses, how to remove them and how you can try and restore files, encrypted by such virus on your Mac.

Ransomware infections have been going around for some time now and they have been spreading at an alarming rate. What is interesting is that during the past few years we have also seen ransomware viruses designed to attack Mac systems as well. While some of the viruses like the [wplinkpreview url=”https://sensorstechforum.com/remove-mac-ransomware-solved-padlock-icon-lock/”]Padlock virus were from the screenlocker type, some viruses, like [wplinkpreview url=”https://sensorstechforum.com/remove-ransomware-osx-keranger-from-mac-computers/”]KeRanger we have also detected to directly encrypt the files on the Macs that were compromised. In this article we aim to explain in detail how you can deal with ransomware viruses for Macs and how you can try and recover your files if you have not made a backup.

How Does a Mac Ransomware Virus Encrypt Your Files

Encryption by theory is basically the process of enciphering data so that only users with access can unlock and read this data. This means that when a ransomware virus infects your Mac, it will run a set of scripts and processes that will attack the file structure of your files. Usually, there are a lot of encryption algorithms and they have evolved over the past few years, but the main ones in use by ransomware viruses are RSA (rivest-shamir adleman) and AES(advanced encryption standard) algorithms. They aim to either overwrite the file or delete it and create it’s encrypted copy on the victim’s compuer. Then, the ransomware virus creates a decryption key which is either a symmetric key or a private key. The newest trend with ransomware viruses nowadays is to use combination of several encryption algorithms to make decryption this more difficult. For more info on how ransomware encryption works, you can check the following article underneath:

Related: [wplinkpreview url=”https://sensorstechforum.com/ransomware-encryption-explained-why-is-it-so-effective/”]Ransomware Encryption Explained – Why Is It So Effective?
Attention! Before starting to restore files on your Mac, you will need to make sure that it is secure first. This is why we recommend using an anti-malware scanner to detect and fully eliminate any malware that may currently be residing on your Mac. Such anti-malware tool also aims to ensure that future protection is available on your device.

How to Try and Recover Encrypted Files on Your Mac (Methods)

After we have explained to you what encryption is, now it is time to explain what options do you have to get them to work once again. In the accordion below, we have created different methods that aim to help you by explaining what you can do to try and recover your files. To lift your hope, we will say that based on the type of virus which demolished your files and on the situation at hand, you may recover all your files, but do not raise your hopes that high, because you may also not be able to recover your data. And before you begin reading about the decryption methods underneath, we recommend that you try and use the method that is most appropriate for your situation. Let’s start!

Method 1 – Restore Files via Data Recovery App

On this page:
Method By using a Data Recovery App.
Appropriate Situation When there is no decryption available for the ransomware, but you can still use Windows to install and run software.
Instructions Difficulty Easy

In some cases, the easiest methods to cope with file encryption is to go around it and focus on your Mac’s drive. In order for this to succeed, it is important that you should not refresh your Mac or wipe your drive anew, because this will significantly decrease your chances of recovering files. Furthermore, you should also know that there are many data recovery programs out there, but we have decided to use what we believe is a tool that is very capable of doing the job for you – Stellar Phoenix Mac Data Recovery Pro. For more information on the program, you can read our software review of it underneath:

Related: [wplinkpreview url=”https://sensorstechforum.com/stellar-phoenix-mac-data-recovery-pro-review/”]Stellar Phoenix Mac Data Recovery Pro – Review

Here is how you can try and restore your files by using this program:

Step 1: Download Stellar Phoenix Mac Data Recovery by clicking on the button below:


Mac Data Recovery

Step 2: Open the downloaded file on you Mac’s Browser.

Step 3: Install Stellar Phoenix Mac Data Recovery. Accept any agreements if prompted.

Step 4: Wait for the program to start, after which select what types of files you wish to recover and click Next:

Step 5: Select the recovery location to an external drive or your default Macintosh Hard Drive (Macintosh HD) and click on Scan:

Step 6: Select the disk which you want to scan by clicking on It to mark it. You can also select an external drive which is affected and you can also tick the “Deep Scan” option which will take significantly more time, but will look to recover files in higher detail and we highly recommend ticking it. After you have selected your preferences, click on the Scan button:

Step 7: Wait for the scan to complete. It may take some time:

Step 8: After the scan has finished, simply select the files you want to recover and then click on the “Recover” button:

At this point, the program will begin recovering your files and when it has finished in doing that, it will notify you of this by asking you where you want to save a backup copy.

Method 2 – Restore Files via iCloud Backup

On this page:
Method By using Apple iCloud.
Appropriate Situation When you have copies of your files in iCloud drive.
Instructions Difficulty Easy

Step 1: Sign in to iCloud.

Step 2: Open the Settings.

Step 3: When you enter the Settings, scroll down and you will see the the “Advanced” menu. On it, click on “Restore Files”, like shown below:

Step 4: You will see a list of files to restore. Mark them with your mouse and then click on “Restore”.

Step 5: Wait for iCloud to restore your files and after it’s ready click on “Done”.

After the recovery is complete, you should be able to find the restored files on your iCloud drive. This can also help if you have accidentally deleted files from your iCloud drive as well.

Method 3: Restore files backed up with Time Machine on Mac

On this page:
Method By using Apple Time Machine
Appropriate Situation When you have setup Time Machine.
Instructions Difficulty Easy

Step 1: Open Time Machine by clicking on the refresh icon on the top right and clicking on “Enter Time Machine”.

Step 2: Either navigate to previous versions of your Mac in different time or choose a restore point from the bars on the bottom right, next to the navigation arrows:

Step 3: Select a file, you want to restore by marking it with your mouse. Use the bottom-right arrows to select the date from which you want to restore it. After you have done this, click on the Restore button on the bottom right of your screen and the files will automatically restore:

Ventsislav Krastev

Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.

More Posts - Website

Follow Me:

with SpyHunter for Mac
Mac Ransomware may remain persistent on your system and may re-infect it. We recommend you to download SpyHunter for Mac and run free scan to remove all virus files on your Mac. This saves you hours of time and effort compared to doing the removal yourself.
Free Remover allows you, subject to a 48-hour waiting period, one remediation and removal for results found. Read EULA and Privacy Policy

Steps to Prepare Before Removal:

Before starting to follow the steps below, be advised that you should first do the following preparations:

  • Backup your files in case the worst happens.
  • Make sure to have a device with these instructions on standy.
  • Arm yourself with patience.
  • 1. Scan for Mac Malware
  • 2. Uninstall Risky Apps
  • 3. Clean Your Browsers

Step 1: Scan for and remove Mac Ransomware files from your Mac

When you are facing problems on your Mac as a result of unwanted scripts and programs such as Mac Ransomware, the recommended way of eliminating the threat is by using an anti-malware program. SpyHunter for Mac offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.

Click the button below below to download SpyHunter for Mac and scan for Mac Ransomware:


SpyHunter for Mac

scan and remove mac virus step 1

Quick and Easy Mac Malware Video Removal Guide

Bonus Step: How to Make Your Mac Run Faster?

Mac machines maintain probably the fastest operating system out there. Still, Macs do become slow and sluggish sometimes. The video guide below examines all of the possible problems that may lead to your Mac being slower than usual as well as all of the steps that can help you to speed up your Mac.

Step 2: Uninstall Mac Ransomware and remove related files and objects

Manual Removal Usually Takes Time and You Risk Damaging Your Files If Not Careful!
We Recommend To Scan Your Mac with SpyHunter for Mac
Keep in mind, that SpyHunter for Mac needs to purchased to remove the malware threats. Click on the corresponding links to check SpyHunter’s EULA and Privacy Policy

1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:

remove mac virus step 1

2. Find Activity Monitor and double-click it:

remove mac virus step 2

3. In the Activity Monitor look for any suspicious processes, belonging or related to Mac Ransomware:

remove mac virus step 3

Tip: To quit a process completely, choose the “Force Quit” option.

remove mac virus step 4

4. Click on the "Go" button again, but this time select Applications. Another way is with the ⇧+⌘+A buttons.

5. In the Applications menu, look for any suspicious app or an app with a name, similar or identical to Mac Ransomware. If you find it, right-click on the app and select “Move to Trash”.

remove mac virus step 5

6. Select Accounts, after which click on the Login Items preference. Your Mac will then show you a list of items that start automatically when you log in. Look for any suspicious apps identical or similar to Mac Ransomware. Check the app you want to stop from running automatically and then select on the Minus (“-“) icon to hide it.

7. Remove any leftover files that might be related to this threat manually by following the sub-steps below:

  • Go to Finder.
  • In the search bar type the name of the app that you want to remove.
  • Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
  • If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.

In case you cannot remove Mac Ransomware via Step 1 above:

In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:

Disclaimer! If you are about to tamper with Library files on Mac, be sure to know the name of the virus file, because if you delete the wrong file, it may cause irreversible damage to your MacOS. Continue on your own responsibility!

1. Click on "Go" and Then "Go to Folder" as shown underneath:

fix mac virus from launch agents step 1

2. Type in "/Library/LauchAgents/" and click Ok:

fix mac virus from launch agents step 2

3. Delete all of the virus files that have similar or the same name as Mac Ransomware. If you believe there is no such file, do not delete anything.

fix mac virus from launch agents step 3

You can repeat the same procedure with the following other Library directories:

→ ~/Library/LaunchAgents

Tip: ~ is there on purpose, because it leads to more LaunchAgents.

Step 3: Remove Mac Ransomware – related extensions from Safari / Chrome / Firefox

Remove an extension from Safari and reset it.Remove a toolbar from Google ChromeRemove a toolbar from Mozilla Firefox

1. Start Safari

2. After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.

3. From the menu, click on "Preferences"

Remove Mac virus from safari step 1

4. After that, select the 'Extensions' Tab

Remove Mac virus from safari step 2

5. Click once on the extension you want to remove.

6. Click 'Uninstall'

Remove Mac virus from safari step 3

A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the Mac Ransomware will be removed.

How to Reset Safari
IMPORTANT: Before resetting Safari make sure you back up all your saved passwords within the browser in case you forget them.

Start Safari and then click on the gear leaver icon.

Click the Reset Safari button and you will reset the browser.

1. Start Google Chrome and open the drop menu

remove mac virus from google chrome step 1

2. Move the cursor over "Tools" and then from the extended menu choose "Extensions"

remove mac virus from google chrome step 2

3. From the opened "Extensions" menu locate the add-on and click on the garbage bin icon on the right of it.

remove mac virus from google chrome step 3

4. After the extension is removed, restart Google Chrome by closing it from the red "X" in the top right corner and start it again.

1. Start Mozilla Firefox. Open the menu window

2. Select the "Add-ons" icon from the menu.

remove mac virus from mozilla firefox step 1

3. Select the Extension and click "Remove"

remove mac virus from mozilla firefox step 2

4. After the extension is removed, restart Mozilla Firefox by closing it from the red "X" in the top right corner and start it again.

Mac Ransomware-FAQ

What is Mac Ransomware on your Mac?

The Mac Ransomware threat is probably a potentially unwanted app. There is also a chance it could be related to Mac malware. If so, such apps tend to slow your Mac down significantly and display advertisements. They could also use cookies and other trackers to obtain browsing information from the installed web browsers on your Mac.

Can Macs Get Viruses?

Yes. As much as any other device, Apple computers do get malware. Apple devices may not be a frequent target by malware authors, but rest assured that almost all of the Apple devices can become infected with a threat.

What Types of Mac Threats Are There?

According to most malware researchers and cyber-security experts, the types of threats that can currently infect your Mac can be rogue antivirus programs, adware or hijackers (PUPs), Trojan horses, ransomware and crypto-miner malware.

What To Do If I Have a Mac Virus, Like Mac Ransomware?

Do not panic! You can easily get rid of most Mac threats by firstly isolating them and then removing them. One recommended way to do that is by using a reputable malware removal software that can take care of the removal automatically for you.

There are many Mac anti-malware apps out there that you can choose from. SpyHunter for Mac is one of the reccomended Mac anti-malware apps, that can scan for free and detect any viruses. This saves time for manual removal that you would otherwise have to do.

How to Secure My Data from Mac Ransomware?

With few simple actions. First and foremost, it is imperative that you follow these steps:

Step 1: Find a safe computer and connect it to another network, not the one that your Mac was infected in.

Step 2: Change all of your passwords, starting from your e-mail passwords.

Step 3: Enable two-factor authentication for protection of your important accounts.

Step 4: Call your bank to change your credit card details (secret code, etc.) if you have saved your credit card for online shopping or have done online activiites with your card.

Step 5: Make sure to call your ISP (Internet provider or carrier) and ask them to change your IP address.

Step 6: Change your Wi-Fi password.

Step 7: (Optional): Make sure to scan all of the devices connected to your network for viruses and repeat these steps for them if they are affected.

Step 8: Install anti-malware software with real-time protection on every device you have.

Step 9: Try not to download software from sites you know nothing about and stay away from low-reputation websites in general.

If you follow these reccomendations, your network and Apple devices will become significantly more safe against any threats or information invasive software and be virus free and protected in the future too.

More tips you can find on our MacOS Virus section, where you can also ask any questions and comment about your Mac problems.

About the Mac Ransomware Research

The content we publish on SensorsTechForum.com, this Mac Ransomware how-to removal guide included, is the outcome of extensive research, hard work and our team’s devotion to help you remove the specific macOS issue.

How did we conduct the research on Mac Ransomware?

Please note that our research is based on an independent investigation. We are in contact with independent security researchers, thanks to which we receive daily updates on the latest malware definitions, including the various types of Mac threats, especially adware and potentially unwanted apps (PUAs).

Furthermore, the research behind the Mac Ransomware threat is backed with VirusTotal.

To better understand the threat posed by Mac malware, please refer to the following articles which provide knowledgeable details.

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree