Basic self-defence: How to block the NEXT ransomware outbreak

7 March 2016, 07:00

Although yesterday’s OSX.KeRanger.A malware was blocked by Apple before it had a chance to strike, this inaugural ransomware outbreak on the Mac serves as a clanging wake-up call. If you want to be ready for the NEXT time this happens, just in case Apple doesn’t catch it in time, follow these basic steps.

Keep an eye on persistent apps

Somewhat presciently I wrote about this a few days ago but, in summary, the superb and free of charge BlockBlock app sits in the background and watches locations on your file system where apps install if they want to run persistently – that is to say, run quietly in the background and autostart on boot-up/reboot. Malware has to do this by its very nature, although legitimate apps sometimes do too. However, I consider BlockBlock a basic necessity on a modern Mac. To check for existing apps that have installed themselves persistently you can use Etrecheck.

Keep an eye on outgoing network connections

OS X includes a firewall but it only blocks unauthorized incoming connections. To keep an eye on which apps are attempting to make outgoing connections, you’ll need an app like Little Snitch or Hands Off!. Put simply, these apps flash up a message if any app or background process attempts to access the Internet. You can then allow it, or block it – either temporarily or permanently. Alas, these apps aren’t cheap. There are some free apps with similar functionality, but they aren’t as easy to use.

Back-up files

Ransomeware works by encrypting your files with a secret password, that it then attempts to sell you. Sometimes the encryption is limited to certain folders but we can’t always assume this is true. Therefore, we have to assume that if any file is visible to the user – even in the Dropbox folder, for example, or across a network share to a NAS – then it could be a target.

In other words, cloud storage isn’t really any kind of protection in this instance, although you might be able to retrieve a previous non-encrypted version of the file with a service like Dropbox (note that iCloud Drive doesn’t currently support file versioning).

The only cloud backup that counts here, therefore, are genuine backup services like SpiderOak. These use constantly-running background apps to backup your files to remote servers and usually keep older versions of files too. Therefore these backups should be out of reach of the malware – although you’ll have to remember to turn off the backup app should you be hit by ransomware in case you overwrite your backed-up data with the encrypted versions.

You might also backup to a USB stick that you only attach to the computer for the purposes of backup, and leave unplugged at all other times (pro tip: a USB stick that attaches to your keyring is good for this purpose).

Other measures

I might suggest you enable Gatekeeper protection on your Mac if you haven’t already. It’s in the Security & Privacy section of System Preferences – ensure the General tab is selected, and that the radio button beneath Allow Apps Downloaded From reads only Mac App Store and Identified Developers (click the padlock icon if everything is greyed out).

However, OSX.KeRanger.A used a stolen certificate to bypass Gatekeeper. We have to wonder how much use it really is.

I might also advise only installing apps directly from the website of the developer concerned but, again, somehow that procedure failed here with the malware being injected directly into the official update file.

Is it finally time to consider having an anti-malware app running all the time on a Mac? Well, the Mac DOES have anti-malware protection. It’s called Xprotect and it runs/is updated in the background, so the user isn’t aware of it. More importantly, it worked here just like it should – Apple removed OSX.KeRanger.A before its payload could be unleashed. With every new version of OS X, Apple builds in more and more effective (and industry-leading) security. El Capitan shipped with System Integrity Protection, for example.

To be blunt, when I look at the horror story that is anti-malware software on Windows, I’m convinced we should not walk down that road on the Mac. Use a virus scanner by all means to periodically scan your files – I recommend the free-of-charge duo of Malwarebytes Anti-Malware and BitDefender Virus Scanner – but there’s no need to keep such an app running all the time on your Mac.

If there ever comes a time when that’s needed, we here at Mac Kung Fu will let you know. And keeping an eye on Mac Kung Fu (and signing up for our email newsflash service) is perhaps one of the best moves you can make. We were the first to report on the Transmission OSX.KeRanger.A infection, for example, and have been first to report on other security issues too, such as the Error 53 iOS-bricking scandal.

Leave a comment...


OK I managed to escape the Transmission hack – extremely lucky as I reckon I would have been one of the first to download it probably due to my timezone in Australia.

But I thought I better be safe and reluctantly downloaded the Malwarebyes Anti-Malware you recommended. Had a Mac for 10+ years now and first time I’ve felt the need.

And found not one – but two !!!

Awesome Screenshot and Search Me safari and chrome extensions.

Both installed apparently courtesy of, ironically, uTorrent !!

— Michael Quinn · Mar 7, 03:07 PM · #

Yeah, you prob want to avoid uTorrent :-)

Transmission is safe, and a great program. It just got hit by a very unusual and targeted series of events.

Keir · Mar 8, 02:23 AM · #