A ransomware virus is the type of virus that encrypts your files or denies access to your computer, until you pay ransom.Ransomware viruses are not showing any sign of slowing down. If there is something that they are showing is more variants in terms of variety an more operating systems to which they are spread. In this article we will explain more about ransomware viruses on Mac and how you can remove them and prevent any damage to your files.
|Type||Ransomware for Mac OS|
|Short Description||Aims to encrypt the important files on your Mac and ask you to pay ransom to get the encrypted files to work.|
|Symptoms||Files are encrypted and cannot be opened. A ransom note may appear as a text file or a wallpaper.|
|Distribution Method||Via spam e-mails, fake apps or malicious links and files on shady sites.|
|Detection Tool|| See If Your System Has Been Affected by Mac Ransomware |
|User Experience||Join Our Forum to Discuss Mac Ransomware.|
Ransomware for Mac – How Did I Get It and What Does It Do?
As interesting as it may seem, Ransomware viruses for Mac are not something new. The distant 2016 gave birth of the KeRanger ransomware virus for Mac – a dangerous cryptovirus that encrypted files and held them hostage. The virus used to spread and infect Macs by exploiting a security certificate in Mac OS’s GateKeeper. The virus was luckily contained and for now things seem normal about this ransomware family.
When it comes to how ransomware for Mac infects, the main method is via hacked website, like the previously used by KeRanger ransomware “Transmission.com” site. It was hacked and the download for the Transmission torrent client was replaced with the virus file of KeRanger, containing the ransomware virus In it. Another method via which you could also become a victim of a ransomware virus is if you happen to download the virus file from an e-mail sent to you. Usually, some ransoware viruses tend to replicate e-mail attachments that are legitimate and important documents, like receipts, invoices and other e-mails of such form. Those e-mails are carefully masked, like the example of a virus e-mail shown below:
Once you become a victim of a ransomware virus, the following files on your Mac could be endangered:
Documents: .doc, .docx, .docm, .dot, .dotm, .ppt, .pptx, .pptm, .pot, .potx, .potm, .pps, .ppsm, .ppsx, .xls, .xlsx, .xlsm, .xlt, .xltm, .xltx, .txt, .csv, .rtf, .tex
Images: .jpg, .jpeg,
Audio and video: .mp3, .mp4, .avi, .mpg, .wav, .flac
Archives: .zip, .rar., .tar, .gzip
Source code: .cpp, .asp, .csh, .class, .java, .lua
Database: .db, .sql
The encryption process may be of different encryption algorithms, like the following:
- AES (Advanced Encryption Standard).
- RSA (Rivest-Shamir Adleman).
- CBC mode.
After encryption, the ransomware virus may add a ransom note, where the criminals usually request a ransom to be paid to get the files back. The ransom is usually paid in BitCoin and can vary from hundreds of dollars to thousands.
Remove Ransomware from Your Mac
Unlike Windows operating system, ransomware for Mac may be a bit trickier for removal. Some viruses, like the Padlock ransomware for Mac aim to lock your entire screen, preventing you from even accessing your Mac. For those cases, it is required to do the fixes we have provided in the instructions below in Safe Mode on Mac. To boot your Mac In Safe Mode, folow these steps:
Step 1: Start or reset your Mac device and then hold the SHIFT key. The Apple logo shall appear on your display.
Step 2: You will see a login Window. When you see it, release the SHIFT key and you are done. You might be asked to enter your username and password for verification.
In addition to those steps, you could also additionally apply the following fixes to your Mac:
1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service”. If so, the process is the ransomware virus’s main process. We suggest terminating it with “Quit -> Force Quit”.
3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
For maximum effectiveness, we recommend scanning your Mac with a professional anti-malware program, besides doing the fixes below. Such specific program will effectively make sure to detect and remove any viruses from your Mac and locate and eliminate all of the malicious components safely.
And when it comes to your files, we suggest to back them up and look for an update of your virus from researchers in the future. In the meantime you could try using Data Recovery or other types of damage control programs.