Recently Palo Alto Networks reported a "ransomware" threat to Mac users named "KeRanger". After reading their analysis I found myself deeply concerned. Ransomware threats are nothing new, but I realized that this is probably the closest I've felt to the seedy world of cyber terrorism. Up until now all of that seemed to be aimed at governments, defense departments, big corporations... Windows users! Here we are, though, it's at our doorstep, and our neighbors are already victims. I received an email from a CCC customer yesterday that started with:
I happen to be one of the people who got hit with the ransomware hacks.
Yikes! I was not expecting a good outcome here. Thankfully, the rest of the email was:
Luckily I had a CCC of my drive and booted off that, deleted the ransomware files and was fine.
While this threat appears to be mostly contained at the moment, I think everybody should take some time to examine their defenses against this sort of attack. Having a backup is an obvious first step, but there are some additional steps that you can take to protect your backup too.
Protect yourself from ransomware
This particular ransomware attack is fairly clever. It lies dormant for a few days, then starts to encrypt your documents. It targets documents on externally-attached hard drives as well, and (in future developments) may even target Time Machine backups. CCC backups on external disks are vulnerable, as well. We have some suggestions that can help protect your backups from this sort of threat.
Keep your backup disk unmounted as much as possible
KeRanger targets volumes that are currently attached to your Mac and mounted. Physically detaching your backup disk from your Mac is the most effective way to protect that disk from attack, but it makes your backups more laborious, and you're less likely to keep them up to date. You can configure your CCC backup tasks to unmount the destination volume at the end of the backup task (click "Advanced settings" to reveal the option). With these settings, CCC will automatically mount the destination when the backup task is scheduled to run, then unmount the destination when the task is finished.
Encrypt your backup disk with FileVault
Keeping your backup disk unmounted is sufficient to protect you against the current KeRanger attack, but it may not protect your backup from future attacks. Finding attached-but-not-mounted devices isn't very difficult, nor is it difficult to mount those volumes once you've found them. If the cyberswine figure this out, you'll need an additional layer of protection. FileVault encryption will effectively prevent unauthorized applications from mounting your backup disk. Enabling FileVault... Read More