Protecting your Mac from Ransomware
Table of Contents
ToggleINTRODUCTION
Ransomware is slowly but surely becoming a reality on macOS. It’s only a matter of time before such malicious software becomes widespread. This guide provides several strategies that you can employ to prepare and protect against ransomware attacks. It also shows how ChronoSync can be used to enrich those strategies and offer greater peace of mind.
WHAT IS RANSOMWARE?
Put simply, ransomware is a category of malware that takes your data hostage and demands cash payment to regain access to it. It does this by encrypting all of the document data on your hard drive, making it unusable by you. After encryption is complete, the ransomware usually displays a notice informing you of what has happened and what you can do about it. Usually, a cash payment is demanded in the form of Bitcoin, thus protecting the identity of your attacker. Once the payment has been made, the attacker provides you with the encryption key necessary to decode all your data, making it accessible to you again.
While ransomware has been much more prominent on other platforms, it has slowly been making its way over to the Mac. For some high profile examples, see:
https://nakedsecurity.sophos.com/2017/02/15/rsa-2017-deconstructing-macos-ransomware/
WHAT CAN YOU DO TO PROTECT AGAINST RANSOMWARE?
First and foremost, don’t run software from untrusted sources! All versions of macOS since 10.7.3 include a system software component named Gatekeeper. It can prevent “unauthorized” applications from running on your Mac. This is configured in the “General” panel of the “Security & Privacy” System Preferences pane. By default it is set to only allow apps from “App Store and Identified Developers” to run on your computer. When an app doesn’t meet this criteria, the following notice is displayed:
While you can override these settings, you should ask yourself if you really trust the source of the software you are about to run. If not, don’t run it!
While Gatekeeper is a good first line of defense, it is not infallible. There have been instances of Gatekeeper getting bypassed. There’s also the possibility that trusted developers themselves get hacked and malicious code inserted into their product without them knowing. What’s one to do to protect against this? Well, the second line of defense is anti-virus software!
All versions of macOS since 10.6 include an anti-virus component known as XProtect. If it identifies a virus, it can take steps to prevent such malware from infecting your computer. Many third-party anti-virus solutions also exist that can do the same thing, sometimes in a more thorough manner. The problem is that anti-virus software mainly looks for known malware. When a new piece of malware is created, it is up to security researchers to spot it in the wild before anti-virus software can be updated to look for the new malware. This creates a window of vulnerability between the malware’s creation and eventual discovery, and this places all users at risk.
Making matters worse, ransomware does not have to be particularly sophisticated to do its damage. It can masquerade as any form of software and usually draws users in via social engineering techniques. A lot of damage can be done in a very short amount of time, so all that is necessary is that you get tricked into launching a piece of software. While you are going through supposed “Install” or “Welcome” screens, the software can be quietly making your data files inaccessible in the background.
It’s because of the ease at which ransomware can do harm that most security professionals emphasize that the only true protection against this class of malware is to have a good offline backup — this is your LAST line of defense!
WHAT IS AN OFFLINE BACKUP?
An offline backup is a copy of your data that is not normally accessible to you or, more importantly, the applications that run on your Mac. This is important because if you can navigate to view your backup files from Finder, then so can any ransomware! In fact, it is quite common for ransomware to scan all mounted volumes and encrypt each and every document file it encounters. There have even been situations where organizations have had all the data on their central file server encrypted because one infected user had the server mounted when the malware was doing its dirty work!
Using a Local Volume
One technique commonly employed is to have a backup hard drive that is not normally mounted. This qualifies as offline backup because if it isn’t mounted, ransomware cannot get to the data stored on it. Care must still be taken, however, because there are two potential weaknesses to this approach: the first is that when running a backup, you’ll have to mount the volume so that data can be placed on it. During this brief time, your backup data is exposed to any malware that is installed on your computer. Having third-party anti-virus software is a good, though not foolproof, protection against this since it may detect the malicious activity as it is occurring.
The second weakness is that if the backup drive is physically connected to your computer, it is fairly simple for malware to scan your interfaces and mount any devices it finds. This weakness can be dealt with by leaving the device turned off until you need it and/or protecting it with encryption.
Encrypting your backup volume is a good idea on two fronts. First, your backup data is encrypted by a password that you control. If your drive is lost or stolen, the data stored therein is safe from prying eyes. The second advantage is that the encryption password is required to mount the volume. Even if malware detects such a volume exists, it won’t be able to mount the volume without the password. For this reason, it is important NOT to store your encrypted volume’s password on your local Keychain because it will be easier for malware to unlock the volume.
When backing up to a local volume, there is one last point that is very important to remember — dismount the volume when finished! It’s very easy to run a backup and then forget about it, leaving your volume mounted and exposed to future malware.
What About Cloud Backup?
Backing up your data offsite using a cloud-based service is a good idea for data redundancy. If anything happens to your local devices (e.g. fire or theft), a copy exists in the cloud that you can revert to. Is this approach a safe way to protect against ransomware? Well, it all comes back to the question — can you access your cloud-based data from Finder? If the answer is yes, then so can ransomware!
File sync services such as iCloud Drive or Dropbox are quite vulnerable to ransomware. Other cloud based backup solutions that use proprietary protocols — and don’t allow access to your data via Finder — are much safer. Most cloud services offer some degree of archival storage (i.e older versions of your files are maintained). If this is available for the service you are using, you should take advantage of it. That way, if ransomware encrypts your primary files, older versions exist that you can revert to. Note: Many services offer archival backup for only a short period of time (e.g. 30 days) and require you to pay more to retain older copies of your files.
HOW CAN CHRONOSYNC HELP?
First and foremost, ChronoSync can help by allowing you to create a multi-tiered backup strategy that will protect not only against ransomware but general data loss! While running backups does not provide guaranteed protection against ransomware, NOT running backups IS a guaranteed road to failure!
Begin By Validating Your Data
Not mentioned above is the fact that if you have been taken hostage by ransomware, you may not realize it before your backups are run. The end result is that all your ransomware-encrypted files have been diligently backed up! If such occurs, hopefully you have a multi-tiered, archival system in place. Resorting to archives of your backups is never something you want to have to do, however. The way you prevent this from happening is to audit your data before running a backup.
What is auditing? Well, it is simply a fancy term for ensuring that your data has not been encrypted before backing it up. This can be as simple as manually inspecting your files and making sure they look intact. In the case of the KeRanger malware, encrypted files were all renamed with an “.encrypted” extension, so perusing your file system in Finder would immediately reveal that something was not right.
If you set up a scheduled task in ChronoSync to perform your offline backup, you can take advantage of the “Prompt user before running” setting when scheduling the task.
This way, when the backup comes due, you can perform a quick, visual audit of your files before allowing it to continue.
A more sophisticated technique to audit your data is to create a pre-synchronization script that checks the data for you. We’ve prepared a tech-note that does just that by creating a “honeypot” data file and verifying its integrity before allowing the backup to run.
If malware has encrypted this file, the script will detect it. Post-sync notifications can then be used to alert you that something is wrong. Check out the Honey Pot tech note.
Backing Up to a Local Volume
As mentioned earlier, backing up to a local hard drive is a viable solution provided you take some precautions when running your backups. The first is to make sure that your backup volume is not mounted when it is not being used (thus keeping it offline). You can have ChronoSync automatically mount a volume for backup and dismount it when finished. This is accomplished by clicking “Options…” for your destination target.
The “Attempt to mount volume” setting will try to mount the hard drive when the backup task is run and “Dismount volume after synchronization” will take the volume offline. It is recommended that you do NOT enable “Only if mounted by this document.” That way, if you inadvertently mounted the volume prior to running your backup, ChronoSync will force it to be dismounted after the backup is complete.
We suggested earlier that encrypting your backup volume would be a good idea. If the volume is encrypted, ChronoSync provides the option of saving the encryption password so the volume can be automatically mounted when the backup is run.
While this is certainly convenient, you may want to consider NOT doing this. While ChronoSync encrypts the password within the synchronizer task, it is not out-the-question for malware to hunt down your synchronizer tasks and try to extract this information. This would require a degree of sophistication not yet witnessed in malware but it cannot be discounted as a possibility. The only sure way to keep the password for your encrypted volume secret is to keep it in your head! If you choose not to have ChronoSync supply the password, you will receive a prompt when ChronoSync tries to mount the backup volume.
Another approach is to set up an event-based schedule for your offline backup. To do this, choose “Add to schedule…” for your synchronizer task and choose “When a volume mounts” as your “Run” option.
At this point, you can leave your external backup drive powered off during normal use. When you want to run your backup, simply turn it on. Once it spins up, your computer will try to mount it (prompting for encryption password, if it is encrypted). When it does finally mount, ChronoSync will automatically run the backup and dismount the volume when finished. You can then power-off the device and let it sit completely isolated from your computer until you are ready to run another backup.
Backing Up to the Cloud
ChronoSync has the ability to backup and synchronize to cloud-based services such as Amazon S3, Google Cloud Storage and Backblaze B2. It can also backup to Internet servers using the SFTP protocol. Support for additional cloud services and file sharing protocols will be offered in future releases.
Backing up to a cloud-based service is nearly as simple as using a local hard drive. You must first create a connection profile with the credentials used for connecting to the service. After that, your cloud storage service will appear just like any other volume and you can then create a folder to store your backed up data. Details on setting up these services can be found in the following guides: Configure and Backup to Amazon S3 Storage, Configure and Backup to Google Cloud Storage, Configure and Backup to Backblaze B2 Storage and Configure and Backup to an SFTP Server.
An advantage of using ChronoSync to backup to cloud services is that it implements a direct, closed connection to those services. This means the files that are stored in the cloud are not accessible to any other apps — or malware — that is running on your Mac. Put simply, there is nothing between ChronoSync and the cloud that can tamper with your data. Of course, auditing your source data is just as important for cloud backup as it is for any other type of backup. You can easily employ the techniques discussed above for cloud backup just like you would for local backup.
The disadvantage of cloud-based backup is that performance is severely limited by the bandwidth of your Internet connection. If you’re dealing with extremely large amounts of data, cloud backup may simply not be practical. For that there is another solution…
Backing Up Using ChronoAgent
ChronoAgent is a high-performance file sharing tool designed specifically for use with ChronoSync. By installing ChronoAgent on a remote Mac on your network (or even across the Internet), you can target any drive on the remote system to be the destination (or source) of a backup operation. ChronoAgent increases performance significantly and increases security by encrypting your data in transit. As far as ransomware is concerned, it offers protection by using a direct communication channel and proprietary communication protocol. This shields your remote data from any other app — and malware — that may be running on your local machine.
Like cloud-based backups, backing up to a ChronoAgent Mac is nearly as simple as using a local hard drive. In fact, it is eerily similar. Tasks such as mounting and dismounting remote volumes on the remote Mac (including encrypted volumes) are possible over a ChronoAgent connection. Virtually everything you can do locally is possible over a ChronoAgent connection with the benefit of completely shielding remote data from other apps on your Mac. With gigabit Ethernet, and a reasonably fast Mac on the other end, it can feel as fast as a local hard drive, too!
ChronoAgent offers the best mix of performance and security and is a perfect weapon to protect against ransomware. Of course, auditing your source data is just as important for ChronoAgent backups as it is for any other type of backup. You can easily employ the techniques discussed above for ChronoAgent backups just like you would for local backups.
Other Considerations When Using ChronoSync
Regardless of the exact nature of your backup scheme, ChronoSync offers other benefits when protecting your backups from ransomware. These include:
Multifaceted. Setting up a multi-tiered backup scheme that targets multiple destinations and runs at differing schedules, is a forte of ChronoSync. This is important in ensuring you have multiple levels of redundancy, not just as protection against malware, but as protection against data loss in general.
Archiving. Any ChronoSync backup can be configured to enable archiving, which keeps older copies of data (or deleted data) available for retrieval. The behavior of a backup archive is fully customizable, so you can decide just how much older data you would like to retain (and how long to retain it). This is important if, by chance, ransomware did strike before you detected it. As long as your backups were maintained offline, the archived versions of your files should be intact.
Rotation. The multifaceted nature of configuring ChronoSync backups makes it easy to set up rotated backups. This allows you to swap out a destination drive frequently so that you are always assured of having an unadulterated set of data stored offsite. This can be accomplished by setting multiple synchronizer tasks for each drive you wish to rotate. Or you can set up a Mirror operation and target the same volume. Disabling “Strict Volume Identification” would allow you to rotate drives as long as they have the same volume name. Note: It’s important to set the operation to “Mirror” when doing this.
CONCLUSION
Mac users can no longer assume that ransomware attacks will only affect Windows users. Take the necessary measures, as outlined in this guide, to protect against ransomware attacks and stay safe.
Contact our technical support team and just ask if you have any questions about the content in this guide or about any of our products. We don’t mind — we’re here to help!
Download Trial Version
Download a full working Trial version of ChronoSync.