Recently Palo Alto Networks reported a "ransomware" threat to Mac users named "KeRanger". After reading their analysis I found myself deeply concerned. Ransomware threats are nothing new, but I realized that this is probably the closest I've felt to the seedy world of cyber terrorism. Up until now all of that seemed to be aimed at governments, defense departments, big corporations... Windows users! Here we are, though, it's at our doorstep, and our neighbors are already victims. I received an email from a CCC customer yesterday that started with:
I happen to be one of the people who got hit with the ransomware hacks.
Yikes! I was not expecting a good outcome here. Thankfully, the rest of the email was:
Luckily I had a CCC of my drive and booted off that, deleted the ransomware files and was fine.
While this threat appears to be mostly contained at the moment, I think everybody should take some time to examine their defenses against this sort of attack. Having a backup is an obvious first step, but there are some additional steps that you can take to protect your backup too.
Protect yourself from ransomware
This particular ransomware attack is fairly clever. It lies dormant for a few days, then starts to encrypt your documents. It targets documents on externally-attached hard drives as well, and (in future developments) may even target Time Machine backups. CCC backups on external disks are vulnerable, as well. We have some suggestions that can help protect your backups from this sort of threat.
Keep your backup disk unmounted as much as possible
KeRanger targets volumes that are currently attached to your Mac and mounted. Physically detaching your backup disk from your Mac is the most effective way to protect that disk from attack, but it makes your backups more laborious, and you're less likely to keep them up to date. You can configure your CCC backup tasks to run a postflight shell script to eject the destination after the task runs:
- Download our "Eject Destination" shell script
- Move the shell script to /Library/Application Support/com.bombich.ccc/Scripts on your startup disk
- Open CCC and select your backup task
- Click the "Use Advanced Settings" button at the bottom of the window
- Click the button to choose a shell script in the "After Task Runs" section and select the eject_destination.sh script
- Save your task
You can then eject your destination volume and leave it unmounted. CCC will automatically mount the destination when the backup task is scheduled to run, then eject the destination when the task is finished. Note that other volumes on the same disk will also be ejected. Ejecting the disk is required to re-lock the device.
Encrypt your backup disk with FileVault
Keeping your backup disk unmounted is sufficient to protect you against the current KeRanger attack, but it may not protect your backup from future attacks. Finding attached-but-not-mounted devices isn't very difficult, nor is it difficult to mount those volumes once you've found them. If the cyberswine figure this out, you'll need an additional layer of protection. FileVault encryption will effectively prevent unauthorized applications from mounting your backup disk. Enabling FileVault protection is easy — boot your Mac from your backup disk, then enable FileVault in the Security Preference Pane of the System Preferences application. If your backup disk is just a data disk, it's even easier to enable FileVault. Simply right-click on the volume's icon in the Finder and choose the option to encrypt it.
After enabling encryption, reselect the backup disk in your CCC backup task (e.g. select some other disk, then reselect the destination). CCC will prompt you for the FileVault password for that volume. Providing the password to CCC is optional, but doing so will allow CCC to unlock and mount the volume automatically. Coupled with automated ejection of the destination at the end of the task, your backup disk will be relocked and kept unmounted whenever it isn't in use.
Be vigilant about requests to unlock your backup volume! If you see a prompt to unlock that volume on startup, click the Cancel button to keep it locked and unmounted. If you see a mount/unlock request any other time that isn't right after starting up your Mac or logging in, be very wary about who's requesting to mount your backup volume!
Keep SafetyNet enabled
CCC's SafetyNet feature works to protect files on your backup disk. Rather than deleting files on the destination that don't match a file on the source, CCC's SafetyNet feature moves the older version of modified files and files that don't exist on the source into a folder named "_CCC SafetyNet" at the root of the destination. If you don't realize you've been compromised by ransomware before your backup task runs, CCC will move your not-encrypted files into the _CCC SafetyNet folder where you can easily retrieve them later.
Back up to another Mac
If you have another Mac, you can set up a backup task that backs up to that Mac using CCC's remote Macintosh option. Copying your files to a different Mac will add one more layer of separation between your files and any potentially harmful software running on your Mac.
Don't panic! We're here to help
If you do happen to find your Mac affected by ransomware or any other malady and you have a Carbon Copy Cloner backup, don't hesitate to reach out to us if you're unsure of how to proceed. Right after physically detaching your CCC backup disk from your Mac, submit a request to our Help Desk and we'll help you out as quickly as possible.