What to do when ransomware strikes your Mac

“When ransomeware strikes, it’s hard not to panic,” Glenn Fleishman writes for Macworld. “A ransomeware attack may cause your Mac to shut down and then restart into a lock screen. A message appears, demanding ransom to provide a six-digit unlock code, which can’t be bypassed. This can occur even with two-factor authentication enabled.”

“Crackers appear to be making use of passwords from other sites that have had password breaches in the past—and iCloud accountholders re-use those passwords with their iCloud account,” Fleishman writes. “With Find My Mac enabled and your password, a criminal can log into iCloud.com and use Find My Mac (even without confirming with a second factor) to put your Mac into Lock mode with a six-digit code they create. Lock mode restarts a Mac into Recovery and locks out a normal boot.”

Fleishman writes, “I recommend the following.”

Read more in the full article here.

MacDailyNews Take: Do not pay the ransom. Use unique passwords for evert site and service. Don’t reuse passwords!


  1. This is why I do not use the Apple Keychain for everything. If they get your Apple Keychain you are toast way beyond the ransom.

    Passwords for Banking, Investment, Professional websites, Medical, etc are not on the Apple Keychain. You do not put all of your eggs in one basket. and that goes double if you do everything online.

    Keep a backup of your boot drive and files and keep it disconnected from your Mac between backups. An inexpensive USB 3 enclosure and an SSD can be used to create a highly portable backup and recovery for your primary disc.

    I keep a Mac mini as a backup in case my primary dies and plugging in a backed up drive means you can recover from a hardware failure or a Ransomware attack quickly.

  2. NOTE: Glenn Fleishman is NOT talking about ransomeware at all. I’m a bit miffed that he didn’t make the distinction. No malware is involved in what he discusses here.

    As Glenn describes, what’s going on is an ID and password takeover of your Apple account. AKA PWNing. Once a black hat has your ID and password and logs into your Apple account, they can lock up your Apple devices and PRETEND to have ransomed your device in lieu of payment. They’re lying to you.

    Since NO MALWARE, NO RANSOMWARE is involved, you can take your Apple device to any Apple Store and have them UNLOCK IT for you. That’s all it takes. No payment to the black hat is required. No anti-malware software is required.

    If the above is not clear, please reply and I’ll dig up some articles with better descriptions of this situation than mine (or Glenn’s).

    1. And yes, in early 2017 there was real, actual ransomware for Macs called Findzip, aka FileCoder, aka KeRanger, aka Patcher. (The various names are the result of competing anti-malware companies being uncooperative). This malware has been rendered inert by Apple’s XProtect anti-malware system in recent versions of macOS.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.