Microsoft doc details the dos and don’ts of Mac ransomware

Microsoft's extensive insights into Mac ransomware helped explain the nature of threats aimed at Apple's platform, but the post was subsequently removed.

Apple, Microsoft, Apple Watch, Authenticator, Security
Huawei

As enterprise adoption of the Apple platform accelerates, it’s important to note that Macs can and sometimes do get hit by ransomware. So it’s good to stay tuned to security concerns on a platform and application level — and take precautions.

Knowledge is power

With this in mind, extensive insights into Mac ransomware recently published only to be subsequently removed by Microsoft, can help explain these threats. The impact of such attack can be huge – ransomware already costs victims hundreds of billions each year, and no one is immune. 

UK newspaper The Guardian was hit by a ransomware attack in December and continues to suffer. In the US, Emsisoft says 1,981 schools, 290 hospitals, 105 local governments and 44 universities and colleges were hit by ransomware in 2022 alone.

Microsoft’s in-depth report was evidently intended to support adoption of its own security offering, Microsoft Defender, but it provides valuable advice to any company that wants to harden its Mac security.

However, security researchers such as Patrick Wardle noted that Microsoft's piece seemed close to statements made in his own excellent book, 'The Art of Mac Malware', which you can access free here. He also wrote this excellent post detailing some of the history of this scourge.

The anatomy of an attack

The original report does a good job of explaining some of the ways the most prevalent forms of ransomware try to hide themselves from detection by automated analysis systems and manual inspection. It’s useful to understand some of the methods that allow such attacks take place undetected (until it’s too late).

It also helps guide security first response if an attack does take place; in the case of some sophisticated attacks, it’s not enough to identify just one invasion vector, as once inside the systems, some will implant second- and even third-line bugs in case of detection.

That’s why emergency response teams at times do detailed system and traffic audits before switching systems off. They know that once an exploit is switched off, attackers will cease the invasion, making it harder to detect the miscreant.

Good habits matter most

In many ways, the best advice can be seen as relatively basic. As ever, the most critical slice of sagacity is an admonishment to “install apps from trusted sources only, such as a software platform’s official app store.”

It’s vital to recognize that human error remains the most pervasive way in which attacks occur, and all teams should understand the need to remain watchful when installing software, even on the personal partitions of their device. You shouldn’t click on a link you don’t know the source of. You shouldn’t install an app you can’t trust.

It's simple stuff, but has a huge impact.

Another recommendation: use browsers that block malicious sites, phishing sites, and other sources of nasty malware. Microsoft recommends Edge, but in truth the key ingredient is to enable full security protection on your browsers and act if you receive a warning when browsing online.

Enterprise Mac management defense

Security teams also recommend enterprises use the many OS X management solutions that exist to secure even remote systems against attack. You can use an MDM console to restrict access to privileged Mac system resources such as LaunchDaemons or LaunchAgents folders, for example. Doing so helps mitigate against more common vulnerabilities.

Another good reason to use enterprise management systems is that these can be employed to remotely install security and operating system updates as they emerge.

Installing software updates is a critical step to Mac or any other platform security.

Apple has published several critical security updates in recent months and the pace at which it is doing so betrays the significantly increased activity among threat actors at this time. This is also why Apple has put Rapid Security Response in place for the Mac, enabling the company to push urgent security updates across the Mac platform in the event of a security crisis.

Such reports should be of interest to anyone involved in active IT administration or security protection. Its report analyses how four Mac ransomware families (KeRanger, Filecoder, MacRansom and EvilQuest) abuse system functionalities to infect machines.

The original report explained how they install themselves, mask their existence, proliferate, and ensure their own persistence in the event of a system restart. It’s fascinating stuff, which Microsoft has shared as a “technical reference that researchers can use and build upon to understand Mac threats and improve protections.”

However, on removing the report Microsoft's security team Tweeted to Wardle: "We are grateful to the security research community who works tirelessly to protect our world. We heard the feedback that we didn't acknowledge the extensive work done by others on this topic. We have removed this blog."

Security, security, security

We can anticipate a great deal of activity around security on Apple’s Mac and mobile platforms this year. Apple has told us it is taking this extremely seriously, in part because we live in dangerously hostile times — the recent Twitter hack tells us multiple parties are seeking out weaknesses at this time. Apple partners, including Jamf, are also providing valuable Mac protection, and Apple itself recently launched a new security portal offering in-depth security insights.

Meanwhile, you and your staff should be careful about where you download apps, avoid clicking on links you don’t recognize, and ensure full browser security features are enabled. You should also use strong passwords for Macs and all your services and use built-in features such as "Protect Mail Activity" and iCloud Private Relay to help harden overall security and identity protection. And if you think you might be under attack, or likely to be, do use Lockdown Mode.

Report updated January 13 with news of Microsoft's removal of the original post, some insight into why and addition of new resources to help enterprises understand and battle ransomware.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

Related:

Copyright © 2023 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon