Ransomware Attacks on macOS and Other Apple Devices: A Growing Threat

For years, Apple devices—macOS, iPhones, and iPads—were largely seen as immune to the kinds of cybersecurity threats that plagued Windows PCs. Apple’s focus on security, its closed ecosystem, and the relative scarcity of malware targeting macOS led many users to believe their devices were impervious to the dangers of ransomware and other cyberattacks.

In recent years it has become evident that Apple devices, once presumed to be secure, are not immune from cyberthreats. A surge in ransomware attacks targeting macOS and other Apple devices has loyal Apple fans rethinking their cyber defenses. In this article, we will explore the rise of these attacks and discuss why Apple’s reputation for being cyber-safe is increasingly questioned. We’ll also take a look at some of the most notable ransomware incidents that have impacted Apple users.

Apple’s commitment to privacy and security has always been a cornerstone of its brand. Unlike the open-source nature of Windows, macOS has been a closed system with strict app vetting, regular security patches, and a focus on user privacy. These factors created the belief that macOS was largely immune to the types of threats that plagued other operating systems. Moreover, Apple’s App Store and rigorous review process were seen as significant barriers to malware, creating a false sense of security among users.

Historically, Apple’s tight control over its hardware and software meant that fewer attackers targeted macOS compared to other operating systems. In contrast, Windows PCs, which held the largest market share, became primary targets for malware developers. The fact that macOS had a smaller user base was another reason why cybercriminals were less inclined to target it.

For years, macOS users could feel confident that their devices were less likely to be exposed to the same threats that frequently affected Windows and Android devices.

In recent years, however, this perception of invulnerability has started to unravel. Several key factors have contributed to the rise of ransomware and other malware attacks on Apple devices:

1. Increasing Popularity of Apple Devices: Apple’s growing market share has made macOS a more attractive target for cybercriminals. As more people use Apple devices for personal and business purposes, the potential payoff for attackers increases, making the platform more appealing.
2. Evolving Ransomware Tactics: Cybercriminals are continually evolving their methods, and some have turned their focus toward macOS. Ransomware, in particular, has become more sophisticated and attackers are using increasingly advanced techniques to exploit vulnerabilities in macOS, including targeting flaws that were once considered rare.
3. Cross-Platform Threats: Many ransomware attacks are no longer platform-specific. Cybercriminals use cross-platform malware that can affect multiple operating systems, including Windows, macOS, and even mobile platforms like iOS. This shift means that users of Apple devices are no longer immune from threats that are also affecting Windows users.
4. Exploiting macOS Weaknesses: Although macOS has built-in security features like Gatekeeper, XProtect, and System Integrity Protection (SIP), they are not infallible. Attackers have found ways to bypass these protections, especially when users fall victim to social engineering tactics, like phishing attacks or malicious software disguised as legitimate applications.
5. Rising Number of Apple-targeted Cyberattacks: In the past, most malware targeted Windows-based systems, but now a growing number of cybercriminals are adapting their techniques to target macOS users. The rise in macOS-specific malware and ransomware attacks is undeniable.

Several high-profile ransomware incidents involving Apple devices have occurred in recent years, signalling the growing threat to macOS and iOS users.

1. EvilQuest (2020): One of the first notable ransomware attacks to target macOS was EvilQuest, which appeared in mid-2020. The malware was distributed through infected torrents and cracked software. Once installed, it encrypted files on the victim’s Mac, demanding a ransom payment in exchange for a decryption key. What made EvilQuest unique was that it also exfiltrated sensitive information, which could be used for future attacks. Although EvilQuest was caught early and removed, it demonstrated that cybercriminals were actively targeting macOS users.
2. MacRansom (2017): A lesser known but significant attack was MacRansom, a form of ransomware that encrypted files on Mac devices and displayed a ransom note demanding payment in Bitcoin. It was one of the first major indications that ransomware attacks could affect macOS users. Although it did not spread as widely as Windows-based ransomware, it highlighted the vulnerabilities in macOS.
3. Reveton Ransomware (2013): Although not exclusive to macOS, the Reveton ransomware was one of the first incidents to raise concerns about ransomware across multiple platforms. While it mainly targeted Windows PCs, there were reports of a variant that affected Macs as well. Reveton would lock users out of their devices and display a message claiming that the victim’s computer had been involved in illegal activity. The victim was then pressured to pay a fine to regain access to their files.
4. Cerber Ransomware (2016): Cerber was another ransomware strain that has evolved to target multiple platforms, including macOS. In its early days, Cerber was primarily a Windows-targeted ransomware, but variants were developed that could affect macOS users. The ransomware encrypted files and demanded a ransom payment to decrypt them.
5. NotLockBit (2024): Recently, NotLockBit emerged as a ransomware variant specifically targeting macOS systems. As the name suggests, it shares similarities with the notorious LockBit ransomware family but is adapted to exploit macOS vulnerabilities. NotLockBit has been making headlines due to its ability to circumvent traditional macOS security features like Gatekeeper and even targets the unique hardware security of Apple’s M1 and M2 chips. This is a significant evolution in ransomware tactics, as cybercriminals have increasingly focused on attacking the security models of Apple’s latest hardware.
6. FrigidStealer (2024): Another new malware that has been identified as a threat to macOS devices is FrigidStealer. This is a credential-stealing malware that targets Apple users by hijacking login information and session cookies from various applications and web browsers. FrigidStealer has been found to exploit vulnerabilities in both macOS and certain apps that do not adhere to strict security protocols. Although it doesn’t encrypt files like traditional ransomware, it poses a severe threat to users by stealing sensitive information, which could later be used to launch more damaging attacks, including ransomware.

While Apple has always been proactive in releasing security updates and patches for its devices, the growing threat of ransomware poses a significant challenge. Here are a few reasons why Apple faces difficulties in addressing ransomware on macOS and iOS:

1. Complexity of the Security Ecosystem: macOS is a complex system with many layers of security, including hardware, firmware, and software protections. Maintaining and updating this ecosystem to protect against increasingly sophisticated threats is no small task.
2. User Behavior: One of the biggest challenges for Apple is the behavior of its users. Many ransomware attacks are successful because victims fall for phishing emails or download malicious files from untrusted sources. Educating users on how to avoid such attacks is crucial for reducing the effectiveness of ransomware campaigns.
3. Third-Party Software: A significant number of ransomware infections stem from third-party applications, particularly those downloaded outside of the Mac App Store. Apple’s App Store vetting process is strict, but the lack of control over third-party apps downloaded elsewhere increases the risk of infection.
4. Jailbreaking and Unrestricted Software: Some advanced users “jailbreak” their iPhones or install unverified software on their macOS devices. This opens the door for malicious software to bypass Apple’s security restrictions and install ransomware. Although Apple has strong measures in place to prevent jailbreaking, it remains a significant risk for those who bypass these safeguards.

Apple devices, once considered the gold standard for cybersecurity, are increasingly targeted by ransomware and other types of malware. As the popularity of macOS and iOS continues to rise, so does the incentive for cybercriminals to exploit vulnerabilities in Apple’s software and hardware. Ransomware attacks like EvilQuest and MacRansom are just the beginning, as attackers continue to adapt their tactics to target Apple’s ecosystem.

The emergence of new threats like NotLockBit and FrigidStealer proves that even the latest Apple devices are not immune to sophisticated attacks. Although Apple has responded with more robust security features and patches, the reality is that no system is entirely invulnerable to attack. Users must remain vigilant, avoid downloading software from untrusted sources, and regularly back up their data to minimize the impact of ransomware.

As the cybersecurity landscape continues to evolve, Apple will undoubtedly face new challenges, but with awareness and proactive cybersecurity measures, users and organizations can protect themselves from these ever-growing threats. The emergence of AI has allowed attackers to target victims with unprecedented success. This is only going to accelerate.

BlackFog has recently launched its next-generation cybersecurity protection platform for MacOS. Expanding its robust protection for Windows, Android, and ChromeOS, the new macOS edition provides comprehensive threat coverage for all Apple devices running macOS Ventura or later. To find out more read our full press release.