MacRansom: Ransomware for macOS found on the Darknet

Ransomware for macOS or OS X on the Apple Mac, iMac, and MacBook is not very common, but neither is it impossible. The malware that blocks files or even the entire hard drive in order to extort bitcoins for release can be ordered on the Darknet. Ransomware-as-a-Service (RaaS) is the name of such an offer. The company founded in 2000 Fortinet, which offers digital security solutions, has MacRansomware as a Ransomware as a service for macOS and OS X and analyzed the malware for would-be hackers.

By the way: Below is also about MacSpy, a spy software for the Mac. Click here to jump to the relevant paragraph.

MacRansom, ransomware for macOS, Apple

The features of MacRansom advertised on the Darknet, a current ransomware for macOS, which can encrypt files on the Apple Mac, MacBook or iMac. (Source:

What is ransomware, how did it get on the Apple Mac?

In a nutshell, ransomware is software that blocks a computer's hard drive or encrypts it completely. The user then no longer has access and is shown a message demanding a ransom for the release of the data. Usually a fairly high amount is required in Bitcoins. Ransomware usually comes by email, USB sticks or the like. You can find a detailed article on the subject here: Data backup: backup copy as protection against ransomware.

MacRansom as malware for macOS

MacRansomware is not the first ransomware to hit Apple computers. For example, the blog was already about a year ago KeyRanger, a similar hacker software for OS X. As Fortinet points out in its analysis of the current case, the software currently circulating also builds on earlier code such as that of the KeyRanger; even if it is touted as the new and also “best Mac ransomware” on the corresponding Darknet portal. Incidentally, the fact that ransomware for Mac systems is so rarely released is due to the fact that around 91,64% of privately used computers are still equipped with Windows.

Summary of the analysis by Fortinet

Fortinet shows at the Analysis of the ransomware MacRansom has a lot of ambition and sets out the e-mail traffic with the programmer / provider, details about the sender from the mails, program codes, explanations for individual program lines, etc. If you are interested in this, click the link at the beginning of this paragraph. Here I want to give you a brief overview of the findings:

  • MacRansom is offered on the Darknet; the provider must be contacted by email to receive the malware
  • The ransomware encrypts according to Fortinet 128 files, but can change their time stamp, which can make unauthorized restoration more difficult
  • The software only becomes active if the user concerned consents to the execution of the program
  • She is called Program from an unverified developer displayed, which should give you something to think about in the event of an attack
  • The attack can take place with a delay, so the program may have secretly "nested" itself beforehand
  • The extortionists demand 0,25 bitcoins within 7 days, since they then delete the decryption code

After running MacRansom, the ransom note with contact details and a request for 0,25 Bitcoins is displayed on the affected Mac. (Source:

How much are 0,25 bitcoins?

A small digression in the direction of the digital financial world: Bitcoin is not a very stable currency. The price tends to fluctuate a lot, which makes the extortion money value very flexible in the case of ransomware. In March 1, the value of 2017 Bitcoin was now under € 1.000; in June the peak so far was over € 2.500. We are currently talking about € 0,25 at 525 Bitcoin.

Bitcoin price for the last 3 months; Status: mid-June 2017. (Source:

How do you protect yourself against ransomware?

If you are asked for permission on the Apple Mac, iMac or MacBook before the unknown program is executed, then you are fine. This is not so often the case with ransomware on Windows. On the Apple computer you should only run programs that you can assign. In addition, you should always have the current operating system on your computer. A Antivirus software Can't hurt either; and a regular one Backup ensures that your important data is still accessible even in the case of local encryption. Either on an external hard drive or in the cloud.

Recommended reading: These Mac models are compatible with macOS 10.13 High Sierra

MacSpy as Malware as a Service

In addition to the ransomware MacRansom, there is also spy software on the said platform, also on the Darknet, as Malware-as-a-Service (MaaS). MacSpy is the name of the digital spy, which is said to take up less than 30 MB and is therefore relatively “invisible”. About the proxyBrowser Tor, the operation should also not be traceable.

The features:

  • A screenshot of the screen (s) can be taken every 30 seconds
  • Keyboard usage can be recorded
  • Photos from the iPhone are taken from the iCloud synchronization
  • The clipboard can be read out
  • And many more functions


Additional features against Bitcoin payment

But these are just the features for the free version. There is noisy AlienVault.comwhere her an extensive Analysis of MacSpy finds, for an unknown amount of Bitcoins, the possibility of receiving a more extensive version. The "Advanced Features" of MacSpy include:

  • Own definition of recording intervals
  • Query all data and files on the Mac
  • Encryption of the entire user content in a few seconds
  • Hide MacSpy in pictures and other formats
  • ZIP creation of all data collected over a day
  • Updates to the program
  • Access to emails and social media accounts of the affected Mac user


What is the danger of MacSpy?

MacSpy works according to Alien Vault's analysis, which is just as extensive and informative as Fortinet's MacRansomware analysis. The affected Mac is read out according to the description and the data can be read out via a Command and Control Server (CnC). So there is a risk of total espionage from the program.

The analysis does not reveal that the Apple computer with OS X or macOS provides any information about the program. MacSpy is therefore to be viewed more critically than MacRansom. If you want to know whether you are affected or how you can get rid of the malware, then take a look at Alien Vault.


Even if Apple Macs currently only have a market share of around 6,34% in the private sector, this is increasing. That makes OS X and macOS more and more attractive to hackers and other cyber criminals. You can protect yourself with regular updates of the OS, an antivirus program, backups and a bit of caution. Good luck with it!

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.

Leave a Comment

Your e-mail address will not be published. Required fields are marked with * marked