Skip to main content

New Mac Ransomware Appears, and There's Only One Defense

The first strain of Mac encrypting ransomware was pretty bad, but this new strain is even worse.

Antivirus firm ESET has just discovered ransomware that masquerades as a software authorization "crack," encrypts all of your files and then demands about $300 in payment.

A new strain of ransomware demands nearly $300 in payment. Credit: Shutterstock

(Image credit: A new strain of ransomware demands nearly $300 in payment. Credit: Shutterstock)

In a particularly cruel twist, this new Mac ransomware probably can't even deliver the decryption key for your locked files if you pay up. ESET's antivirus software can stop this ransomware before it hits your Mac, but at the moment, it may be the only security suite that can.

WeLiveSecurity, ESET's blog, posted a comprehensive breakdown of the unnamed ransomware today (Feb. 22). The ransomware targets users who try to download software cracks or "patchers" — workarounds for the authorization keys required to run expensive productivity tools such as Adobe Premiere Pro and Microsoft Office. ESET pointed out that there are likely other pieces of misleading malware out there.

MORE: Best Mac Antivirus Software

Assuming you try to install one of the patchers, it will open up a transparent window and instruct you to click Start to crack your ill-gotten software. However, clicking the button actually begins an encryption process on all of your files, then copies a README message into locations where users are likely to find it.

The README is standard ransomware stuff: Your files have been encrypted, we have the keys, send us Bitcoin, don’t waste your time trying to decrypt your files on your own. The scammers want one-quarter bitcoin, or roughly $286 per current rates, in exchange for a decryption key.

There's only one catch: ESET observed that the ransomware lacks the code to communicate with a command-and-control server. Most ransomware sends the key with which it encrypts your files to a C&C server before it deletes the key locally, so that the ransomware controllers can send it back to you after you pay.

But this one doesn't have the means to send that the encryption upstream. In other words, you can pay all the bitcoin you want, but the cybercriminals likely do not have the capacity to decrypt your files. It may all be a ruse.

ESET did observe a few bright spots about the ransomware. The company has been able to monitor the scammers' Bitcoin wallet and email account, and observed that no one has yet paid any money or corresponded with the criminals. On the other hand, since there's apparently no way to supply a decryption key, any files locked by this ransomware may be well and truly gone for good.

At present, ESET is the only antivirus program that can stop the Mac ransomware in its tracks, at least according to VirusTotal. (More antivirus programs will have added it by this time tomorrow.)

Still, unless a user actually downloads a fake patcher from a repository of software crackers, types in an administrative password to install the patcher and clicks "Start," the malware can't operate, so using some online common sense will also prevent it from wreaking havoc with your files.

Experts have predicted that instances of Mac malware will increase in 2017. If that’s true, this new ransomware appears to be an early manifestation of the trend. Only six or seven new pieces of Mac malware were found in 2016, but February's not yet over, and we've already found four this year.

For now, Mac users should install an antivirus program (even if it’s not ESET, it will still catch plenty of other threats), back up their files frequently and steer clear of shady torrents and software crackers.