Should Mac users worry about ransomware?

Several of you have already expressed concern about the possibility of ransomware affecting macOS. As the MacUpdate site has recently published an article which claims that ransomware on the Mac is a serious risk and on the increase, I thought it timely to consider some of the issues. This is written in the light of Thomas Reed’s strong rebuttal of those claims.

Security is all about risk. When you lose touch with risk, security measures spiral out of control and your Mac and iOS devices quickly become useless. Yes, there is always a risk that macOS could be attacked by ransomware. Before going any further, though, you need to assess that risk.

One of the most important steps in assessing risk is to look at the history of that threat. Thomas has long experience of researching malware on the Mac, and his short history of its rarity and, so far, dismal failure is essential reading. If you only read one more article today, please make it that.

The other side of assessing risk is understanding protection in macOS which is designed to make ransomware fail. The most vulnerable target for ransomware is an operating system in which it can modify parts of the system itself, such as its file system, to build its encryption in at a low level. This also lets it ‘own’ the whole system rather than just encrypting user data which can be replaced from backups.

macOS Catalina now contains multiple layers of protection which should make it much harder for ransomware to succeed and to limit the damage which it can achieve. These include:

  • System Integrity Protection (SIP), which prevents even root from modifying most system files;
  • Read-only System volume, new to 10.15, which can’t be written to without bypassing SIP and mounting the volume for writing;
  • Strict security for kernel extensions (KEXTs), which are now difficult to install even when specially signed and notarized;
  • Secure Boot, in Macs equipped with the T2 chip, which stops them from starting up from a modified copy of macOS;
  • XProtect, which in 10.15 checks apps every time they’re opened (not just when they have a quarantine flag set) against signatures of known malware;
  • Hardening, which limits software features which can be abused by malware;
  • Notarization, in which Apple scans all notarized apps to check them for malware;
  • Sandboxing, which limits what apps supplied from the App Store can do;
  • POSIX permissions and privileges, which limit access to files and features.

These don’t, and can’t, absolutely prevent ransomware. There are of course vulnerabilities which could be exploited to weaken or even bypass some of those layers of protection. However, they are intended to make it so difficult to make successful ransomware (and other forms of malware) that its authors choose a different platform altogether, or try another way to make money out of you.

Should we worry about ransomware then? Not at the moment, not as a specific risk to macOS. But if you are running an older version of macOS which doesn’t have all the security features of 10.15, or a Mac without a T2 chip, or have disabled some of the protection in macOS such as SIP, then you need to recognise that your risk is that bit higher.