Given recent incidents with the first known Mac ransomware, and the problem we had recently with a customer who had PCs connected to their Mac server, let’s take a minute to talk about ransomware in general.
Ransomware is somewhat unique among types of malware in that it is not attacking the OS, not trying to install anything, and not trying to hide. It is attacking the user’s actual data files. That means it needs no higher privileges than what the users themselves have. Once run, it merely scans the user’s home directory and any mounted drives (including network shares), then encrypts anything that looks like a data file (.docx, .pdf, .jpg, etc). It deliberately does NOT disturb the OS or any other files that would prevent the user from using the computer, as this would prevent them from getting paid, which is the entire point.
Given that all the ransomware doing is accessing files the user normally has access to, then modifying them, it’s not necessarily doing anything “virus-like”. Therefore, the heuristics that modern anti virus products are so proud of will likely not catch it unless they have a definition for that particular variant of the binary. This is a big problem, since as recent targeted attacks against several hospitals have proven, anti virus is NOT catching these things. All it needs is a vector to get in and get running, and the client’s data is toast.
Common infection vectors include all the usual suspects: phishing emails, malvertising, illegal or compromised software downloads (like what happened with recent new version of Transmission), malicious websites, etc. Most of these are mitigated by keeping OS and browsers up to date, having a good anti-spam/anti-malware solution filtering the email, and using network wide content filtering to keep users off of illegal and/or malicious sites. Still, especially with laptops that come and go from the corporate network, malware, ransomware, and other threats will find a way in.
The sad truth is, there is no way to completely prevent a ransomware outbreak on a network aside from restricting all machines to a strict whitelist of allowed software, which is impractical in most cases. The only thing you can do is have good backups and be prepared to use them for recovery. Backups on external drives connected to end user workstations are just as vulnerable as the rest of their files. Time Machine and Carbon Copy Cloner will not help here. Only backups that are offline (as in not directly accessible to the infected host) are safe.
Apple was able to quickly shut down this last Mac specific malware via revoking Transmission’s code signing cert and blacklisting the binary in Xprotect).
For the more immediate problem of infected PCs encrypting files on Mac servers to which they’re connected, a local backup on the server should be safe as long as the backup itself is not shared.
In summary, here are our recommendations for handling things right now in mixed Mac/PC networks:
1. Ensure users don’t have access to more shares on the server than they actually need.
2. Ensure servers are only accessed remotely via a VPN solution to prevent exploits that could infect the server itself.
3. All servers should have at least two backups, one of which is off-line.
4. Firewalls should be utilized with intrusion prevention, content filtering and gateway Anti Virus to protect against bad user behavior as much as possible.
5. Windows PCs should be professionally monitored and maintained with up-to-date Anti Virus software.