Backup paranoia

By now, you’ve probably read about the KeRanger ransomware. Ransomware is not a new idea, but this is the first time it’s come to the Mac. It if works as described, it’s a nasty piece of work. And if you read the same articles as me, you saw comments like If you don’t have backups, you deserve what you get.1

It’s important to keep good backups, but they’re not foolproof. In this case, I’m not sure backups would always save you.

Claud Xiao and Jin Chen, two security researchers, have worked out what the malware does:

After connecting to the C2 server and retrieving an encryption key, the executable will traverse the “/Users” and “/Volumes” directories, encrypt all files under “/Users”, and encrypt all files under “/Volumes” which have certain file extensions.

The “/Volumes” directory is where OS X mounts disks (both external and internal). It includes “Macintosh HD” and any external drives you have mounted. If your backup drives were mounted when the ransomware got to work, they’d be no help at all.

My backup regime has extra steps that I always thought were paranoid, but now I’m not so sure. Here are a few of my suggestions:

Nothing is watertight – you could do everything above, and just get unlucky. Data loss happens to the best of us.

But what these suggestions get you is extra time when you have problems. When you’re in a rush, you can panic and make mistakes. In a crisis, having time to breathe and think is invaluable.


  1. This was mixed with the idea that BitTorrent is only used for piracy, which means your computer is fair game for malware authors. I’m not interested in that discussion (at least not today). ↩︎