Recently Palo Alto Networks reported a "ransomware" threat to Mac users named "KeRanger". After reading their analysis I found myself deeply concerned. Ransomware threats are nothing new, but I realized that this is probably the closest I've felt to the seedy world of cyber terrorism. Up until now all of that seemed to be aimed at governments, defense departments, big corporations... Windows users! Here we are, though, it's at our doorstep, and our neighbors are already victims. I received an email from a CCC customer yesterday that started with:
I happen to be one of the people who got hit with the ransomware hacks.
Yikes! I was not expecting a good outcome here. Thankfully, the rest of the email was:
Luckily I had a CCC of my drive and booted off that, deleted the ransomware files and was fine.
While this threat appears to be mostly contained at the moment, I think everybody should take some time to examine their defenses against this sort of attack. Having a backup is an obvious first step, but there are some additional steps that you can take to protect your backup too.
Protect yourself from ransomware
This particular ransomware attack is fairly clever. It lies dormant for a few days, then starts to encrypt your documents. It targets documents on externally-attached hard drives as well, and (in future developments) may even target Time Machine backups. CCC backups on external disks are vulnerable, as well. We have some suggestions that can help protect your backups from this sort of threat.
Keep your backup disk unmounted as much as possible
KeRanger targets volumes that are currently attached to your Mac and mounted. Physically detaching your backup disk from your Mac is the most effective way to protect that disk from attack, but it makes your backups more laborious, and you're less likely to keep them up to date. You can configure your CCC backup tasks to run a postflight shell script to eject the destination after the task runs:
- Download our "Eject Destination" shell script
- Move the shell script to /Library/Application Support/com.bombich.ccc/Scripts on your startup disk
- Open CCC and select your backup task
- Click the "Use Advanced Settings" button at the bottom of the window
- Click the button to choose a shell script in the "After Task Runs" section and select the eject_destination.sh script
- Save your task
You can then eject your destination volume and leave it unmounted. CCC will automatically mount the destination when the backup task is... Read More