MacDirectory magazine is the premiere creative lifestyle magazine for Apple enthusiasts featuring interviews, in-depth tech reviews, Apple news, insights, latest Apple patents, apps, market analysis, entertainment and more.
Issue link: https://digital.macdirectory.com/i/1277879
In short, macOS can only go so far in protecting users from their own stupidity, and applications are still applications, so if you download a program that contains bad code and explicitly run it, macOS will happily follow your instructions, even if that means wiping out every file in your Documents folder. The latest case in point of this is new "ransomware" that's not being discovered latched onto seemingly-legit, albeit pirated, Mac apps. As reported by Malwarebytes, the new ransomware, which has been dubbed "EvilQuest" was found in a pirate copy of the Little Snitch app that's been making the rounds on Russian forums and torrents. The download comes in a PKG file that actually contains a valid copy of Little Snitch but also bakes in another script that runs after users install the app that dumps ransomware onto your Mac. Postinstall scripts normally run to clean up files after the installation of an app, but of course they can do a lot more, since they're ultimately just scripts that run on your Mac. Notably, the actual legitimately purchased version of Little Snitch doesn't come as a package file at all. Malwarebytes has a more in-depth analysis for those interested in the gory technical details of how this all gets installed on your Mac, but the main effect of this particularly nasty little piece of ransomware is to start encrypting whatever files it can get its hands on, from your documents to system files and things like the macOS system Keychain. While it apparently takes a bit of time before the ransomware starts doing its thing, once it does users are shown a pop-up telling them that their files are now encrypted, and presenting a limited time offer for a "decryption service" that can be used to unlock your files. This of course is where the "ransom" in "ransomware" comes in, since what EvilQuest does it to effectively hold all of your files, and in fact potentially your entire system, hostage, and due to the nature of encryption, there really is no simple way to get back at your data unless of course you have backups from before your computer became infected. Synchronized cloud storage won't help you here either, since even if you're using iCloud, Google Drive, Dropbox, or another similar service, as your files are encrypted, the encrypted versions will be uploaded to your cloud storage service, overwriting the unencrypted ones. If you have a cloud service that provides versioning or the ability to restore from older backups, you could get some of these back, but they're ultimately no replacement for actual regular offline backups. That said, Malwarebytes is still conducting further analysis, and suggests that it's possible that the encryption used by EvilQuest could be easier to crack, but that's far from a sure thing. Unfortunately, once EvilQuest has begun encrypting your files, the only way to get rid of it is by formatting the entire disk and restoring from backup. How to Avoid Malware on your Mac To be fair, the secure architecture of macOS usually makes it difficult for mos t malware to gain a foothold without engaging in some pretty risky behaviour and specifically bypassing security controls that are normally designed to prevent this sor t of thing. For example, there's the obvious matter of downloading pirated apps in the first place, although sometimes that's not as obvious. For example, users who might never even think of visiting a Russian torrent site might be perfectly happy to install a copy of an app that a friend sends over to them, and you may not realize where this actually came from. Unfortunately, as good as some of the protections in macOS are, too many users have been conditioned to just go right through them without giving them much thought. For example, when prompted to enter an administrator password to install an app, most users will just happily key it in almost from muscle-memory without stopping to ponder why the app they're installing actually needs administrator privileges (and neither Apple nor app developers do as good as job as they should of explaining this). That said, even the most diligent and security- conscious Mac users can still be tripped up sometimes, especially since f laws do occur in macOS from time to time that can be exploited by malware. While anti-malware software can certainly help, the best thing you can do to avoid these sorts of problems is to question ever y thing that you choose to install — especially if it doesn't come from the Mac App Store — and also keep regular backups, at least one of which should be on a hard drive that's not normally connected to your Mac.