Microsoft report highlights Mac ransomware threats and techniques

Microsoft has released new details on Mac ransomware threats, techniques and provided guidance on how to protect networks and systems from ransomware attacks.

Ransomware attacks continue to be a huge and costly threat to victim organizations. Mac-based ransomware threats will likely only increase as Mac operations systems continue to gain in popularity.

According to a 2022 cost of a data breach report by IBM and the Ponemon institute, ransomware attacks had grown 41% over the previous year. The average cost of a ransomware attack also was $4.54 million.

Palo Alto Unit 42 incident responders last year also noted that ransomware payments, on cases they worked on for first five months of 2022, approached $1 Million or 70% over the previous year.

Examples of more recent ransomware attacks that have made the news in just the past couple of months include AgendaCuba, and LockBit 3.0 cyber campaigns.

Microsoft ransomware analysis

Microsoft’s analysis highlights various attack techniques where ransomware remains hidden from automated monitoring systems, which makes manual discovery difficult.

According to Microsoft, mac malware developers “abuse legitimate functionalities and devise various techniques to exploit vulnerabilities, evade defenses, or coerce users to infect their devices.”

Moreover, the report describes some of these techniques through analysis of four Mac ransomware families: KeRanger, FileCoder, MacRansom, and EvilQuest.


First discovered by Palo Alto Networks in March of 2016, KeRanger ransomware was used by attackers to infect the Transmission BitTorrent client installer for OS X was infected with ransomware.

KeRanger uses AES encryption in Cipher block chaining (CBC) mode to encrypt files and also the mbedtls library for performing cryptographic functions for TLS and SSL protocols.


Back in 2014, Kaspersky Lab discovered FileCoder ransomware, a trojan encrypter for Mac OS X. After studying the malware, researchers discovered an announcement with the demand for money to restore victim’s encrypted files.

According to Microsoft, FileCoder ransomware uses the ZIP program to encrypt files (in the /Users and /Volumes directories) and appends the ‘.crypt’ extension to encrypted files.

“It removes the original file and changes the timestamp of the newly created file, which also works as an evasion tactic,” Microsoft added.


In June of 2017, Fortinet’s FortiGuard Labs first discovered a new Ransomware-as-a-service (RaaS), MacRansom, that used a web portal hosted in a TOR network to target systems running Mac OS.

According to Microsoft, MacRansom uses a symmetric algorithm for encrypting files and decrypting its ransom note “.README”.

“The ransom note contains encrypted data which MacRansom decrypts using a hardcoded key. It uses separate keys for encrypting the files and decrypting its ransom note,” Microsoft noted in the post.


EvilQuest, also known as ThiefQuest, targets macOS systems and is used to encrypt files and install keyloggers.

In July 2020, researchers from TrendMicro discovered the malware could be found in pirated versions of macOS, such as those shared in underground forums.

Microsoft observed EvilQuest uses a custom symmetric key encryption routine to encrypt target files. The malware also creates a temporary file name with format “..e” and then checks if the file has already been encrypted by checking the presence of the marker 0xDDBEBABE.

“After encrypting the content, the malware encodes the file encryption key and appends the keying information to the file along with the marker. It then proceeds to delete the target file and rename the temporary file to the original target file’s name,” Microsoft further explained.

To add, Microsoft described additional EvilQuest malware behaviors such as file infection, keylogging, info stealing, disabling security programs, and in-memory execution.

Ransomware guidance

In addition to providing the previously mentioned ransomware techniques to help educate users, Microsoft also provided solid mitigation guidance to help defend against ransomware attacks, for instance:

  • Install applications from only trusted sources only (such as Apple’s App Store or Microsoft’s Store App).
  • Restrict access to privileged resources like LaunchDaemons or LaunchAgents folders and sudoers files through OSX enterprise management solutions.
  • Use web browsers like Microsoft Edge (available on macOS and various platforms) that support Microsoft Defender SmartScreen.
  • Run the most current version of operating systems and applications.
  • Deploy the latest security updates as soon as they become available.
  • Use Microsoft Defender for Endpoint on Mac, which detects, stops, and quarantines malware threats.

Related Articles