Can ransomware hijack Mac backups? Yes, but…

ransomware data laptop

Mac users have so far avoided the scourge of ransomware sweeping the Windows world, where it’s the fastest-growing category of malware due to its simplicity: it encrypts your documents after gaining a foothold to run, and doesn’t have to mess with system-level stuff at all. Reader Dave has a concern related to backups though, after reading my recent article about the best hosted backup services for encrypted protection:

If I am primarily worried about ransomware on my Mac, which of those backup services do you recommend? If I buy my own backup device, I understand that it can also be taken over by the same ransomware. True?

This is a really terrific question, since ransomware can run quietly over a period of time, or execute while you’re sleeping, leading to encrypted files winding up in your backup set, whether on a remote, cloud-based backup system or with Time Capsule or clones.

Since ransomware has only appeared on Macs in small amounts, probably entirely through Trojan horses inserted into subverted software downloads, it’s speculative to know exactly how a widespread attack would operate. But the answer will likely vary by backup type.

  • For cloud-hosted backups, new files don’t overwrite old ones, unless you’ve configured settings very strangely. These backups incorporate archived versions of old versions of files and retaining some deleted files, while adding new ones. You should be able to figure out the point in time that ransomware attacked, and retrieve a snapshot from that period from your backup. For that to change, ransomware would have to be able to access your archives and delete them, and that typically would require manipulating backup client software. It’s unlikely to ever happen, as it’s too complicated and intricate. This would be the safest way to checkpoint files over time.
  • With Time Machine backups through a directly connected or network-mounted drive, including a Time Capsule, your files should also remain intact. However, ransomware designed specifically for macOS could try to take out Time Machine backups by deleting, encrypting, or corrupting them, so it’s impossible to be quite as secure.
  • Clones, or exact copies of a drive, are susceptible to ransomware encryption so long as and whenever they are connected to an infected computer. Having a couple clones to rotate through could help reduce the potential of a clone being similarly encrypted.

Ask Mac 911

We’ve compiled a list of the questions we get asked most frequently along with answers and links to columns: read our super FAQ to see if your question is covered. If not, we’re always looking for new problems to solve! Email yours to [email protected] including screen captures as appropriate. Mac 911 can’t reply to—nor publish an answer to—every question, and we don’t provide direct troubleshooting advice.