Remove MacRansom Ransomware
MacRansom is a malicious program that is deemed to be a Ransomware. The authors of the program promote it as a RaaS (Ransomware as a Service) and this service is active since few years now. Thus, any malicious actor can buy its service from its TOR based website.
After purchasing the program, the author need the physical access of the target system to deploy the software using any USB drive or send any malicious email which after opening will drop the MacRansom malware on the system. the program can be triggered at the specified date and time or use self-execution when plugged in using any external USB drive.
After the trigger time starts, the MacRansom beings the scanning to locate files more than 8 bytes of size. It uses symmetrical algorithm to encrypt the files.
As per the recent cases, the victims are asked to pay 0.25 BTC (approx. $2,860) ransom fee in order to recover the files.
Read this post to know all about MacRansom and its best removal solution.
|Mac malware, Ransomware
|MacRansom is a ransomware threat that targets the Mac users with the motive to encrypt the files and demand ransom to free the files.
|infected USB drives, spam email attachments
|encrypted files, ransom note
Ransomware threat does not have grantee to recover the files back. Thus, the best solution is to remove the MacRansom and other possible infections, security Experts Recommend using a reliable anti-malware tool. Our Experts recommend ComboCleaner.
How MacRansom Get Inside The Mac?
The authors of the MacRansom malware does not sell it on the dark web platform directly. In fact, the program is made available to the criminals on demand only. As mentioned above, the malware is available its website hosted using TOR.
Once the bad actors gets the hold of it, then it need to deploy the malware on the target Mac system. This can be either done by using any USB drive plugging to the device or any spam email attachment . However, the user need to pay an additional charge for distributing it using phishing tactics.
How Does MacRansom Affects The Mac?
Once the MacRansom Ransomware is installed on the Mac, it uses the predefined trigger time to launch or self-execute via plugging malware-laden USB drive. After which, the threat makes sure that it does not land on any debugger. Further, it checks for if it does not landed on any debugger.
If the conditions are meets, then the malware creates a launch point by imitating to be a legitimate file of the Mac OS like ~/Library/LaunchAgents/com.apple.finder.plist.
After which, it waits for the trigger time, which upon reaching specified time, the MacRansom scan the system’s folders and directories to locate files more than 8 bytes of size. Further, it now beings the encryption process.
Like any other ransomware threat, it also creates a ransom note to inform users about the encryption.
The Ransom Note
The text within the ransom note appears as:
“All your files are encrypted. A am the only person in the world with the key that can unlock them. If you need proof, zip 3 of the encrypted files then email it to email@example.com and the serial number of your device.
If you want to buy our decryption software, transfer 0.25 Bitcoin to [random_characters] within 7 days. Your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after [random_characters].”
The security researchers have found various flaws on the ransomware threat:
- The malware is only capable encrypt 128 files;
- It does not use the command & control server to communicate remotely with its authors, which means that the encryption key is hidden on the system itself.
- So, there is no point of sending the 3 zipped files to the above email address.
Thus, the experts never advice to pay the ransom and instead you should keep a copy of the encrypted files along with ransom not safety to any USB drive. As if in future the experts may break its encryption algorithm to make available the decryption key.
So, you should quickly remove the MacRansom Ransomware threat using a reliable anti-malware program and restore the files using backups or some recovery tools.
How to Remove MacRansom From Mac (Guide)
This is a complete manual removal guide for Mac users. It consist of step-by-step removal of unwanted programs. For instance, Adware, browser hijackers, redirects, Trojans and other malware. The manual removal may take several minutes, therefore you have to patience. Please follow the steps carefully. If you are in hurry, then we suggest you to go for automatic removal solution.
(The above link will open a new page from where the Combo Cleaner will download)
To Remove MacRansom Ransomware from Mac OS, follow the steps:
STEP 1: Remove Unknown Profiles Created by MacRansom Program From Mac OS
Profiles are utility that allows business or organizations to control the actions and behavior of the Mac system. Thus, any profile created by the admins will prevent the users to change them. However, adware distributes design their programs that may create new profile. As a result, it prevents user from uninstalling the adware or other malware program.
So, we first need to find out if there is any malicious profile created on the Mac. If yes, then you have to remove them.
Please follow the Steps here:
- Select System Preferences from the Apple menu;
- Within the System Preferences window, find “Profiles” icon; (If you can’t find the profile icon, it means may not have any profiles created.)
- When the “Profile” Window opens, look for the unknown profiles. To remove MacRansom fake user profile, select it and click on the – (minus) button.
- Repeat the steps to remove all unknown profiles.
STEP 2: Uninstall MacRansom/Malicious Apps From Mac OS
In this step, You need to locate for MacRansom application or unknown programs that you may not have installed yourself. Remove all such apps from your system.
- Open “Finder” application from your dock;
- In the left pane of the Finder, click on “Applications“;
- The Applications window will display the list of all apps installed on your Mac OS. Next, you need to locate the MacRansom/suspicious apps by scrolling.
- To remove MacRansom, right-click on it, and then click “Move to Trash”. (Repeat this step until you remove all such apps).
- Now you need to empty the trash as sometimes program can restore themselves from the trash. On your dock, right-click on the trash icon and then select “Empty Trash”.
STEP 3: Remove MacRansom Daemons And Agents From Mac’s Startup
- From top menu On Desktop → Choose Go→Go to Folder;
- Within the “Go To Folder” pop-up window, enter the following paths along with MacRansom.plist one by one. This will locate the malicious files created by the apps.
- /Library/Application Support
For instance, If a malicious program named MacRansom, then you may see ~/Library/LaunchDaemons/com.MacRansom.plist”, within this location. You will see lots of files with “.plist” extension. Scroll through it and find the ones which appear to be suspicious.
- ~/Library/Application Support/com.MacRansom/MacRansom
- ~/Library/Application Support/com.MacRansomDaemon/MacRansom
- To Remove launch agents by MacRansom, right click on it and “More To Trash”.
Similarly, do this for launching agents locations: /Library/LaunchAgents/com.MacRansom.plist.
NOTE: Do not forget to empty the trash.
STEP 4: Use ComboCleaner Scan To Remove MacRansom
(The above link will open a new page from where the Combo Cleaner will download)
Combo Cleaner is a complete security suite for Mac OS that is developed by “RCS LT” company. This program is featured with anti-virus scanner and system optimization tools like disk cleaner, duplicate files finder, application uninstaller, privacy scanner, and 24*7 customer support service.
How to Install and Scan with Combo Cleaner
1. Click the above button to Download the “Combo Cleaner”;
2. Once the download completes, double-click on the downloaded file;
3. After the window opens, drag the Combo Cleaner program icon and drop it into your “Applications folder” icon.
4. Now, open your “Launchpad” and click on the “Combo Cleaner” icon.
5. This will start the combo cleaner installation and updates its latest virus definition. Once done, Combo cleaner will launch;
6. Click on “Antivirus” tab and choose the scan options like Quick, Full, and custom. (Full is recommended for the first time)
7. Let the scan be completed and it will list all the threats found. Now, click on “Remove All Threats”;
8. after removing the threats, click on the “uninstaller” to find and remove any unwanted programs. Select the program from the list and its related files and then click on “Remove Selected Items“
STEP 5: Remove MacRansom From Safari, Chrome, And Firefox Web Browsers (Optional)
To Remove MacRansom Extensions, homepage redirects From Safari Browser, follow steps:
- On the Safari browser, click the “Safari” menu then select “Preferences”.
- On the “General” tab of the Safari preferences, check for MacRansom URL added as the default homepage. Within the “Homepage” field enter your preferred URL as your default start-page of the browser.
- Next, you need to check for malicious extensions, click on the “Extensions” tab on the same window.
- The “Extensions” screen will list all the extensions installed on your safari browser. You need to browse through the list and uninstall MacRansom extension or Adware. Select it and then click on “Uninstall”. Repeat the steps to remove all unwanted extensions.
Delete Safari’s preferences file to reset the default settings
Even after performing the above steps, some malicious program may reappear again. This happens because adware and browser hijackers creates new files within the preferences. Thus, they are able to replace the homepage and search engine URLs each time when user launches the Safari.
To do this, follow the below steps:
- Close the Safari browser;
- Come to normal desktop mode, now choose “Go” from the top menu then click on “Go to Folder“.
- Within the “Go to Folder: pop-up window, enter the ~/Library/Preferences/com.apple.Safari.plist path and click on GO;
- Delete the file, if found;
- Launch the Safari Again.
To Remove MacRansom From Chrome (Extensions, homepage redirects), follow steps:
Similarly, you need to reset the default settings of Chrome browser. In order to remove unknown extensions, search engines, startup, and new tabs.
It is better to use the default reset feature of the Google Chrome. This will reset all the unwanted modifications done by third-party programs. It should be noted that you will not lose your saved passwords and bookmarks. (Sync your Google with Account to secure them first). However, it will delete cookies, extensions, startups, URLs, homepage and new tabs preferences.
- Click on Chrome’s main menu then choose “Settings“. Scroll to the bottom of the page and click on “Advanced”;
- Under the Advanced page, go for “Reset and clean up” section. Then click on “Reset settings to their original defaults”;
- Next, click on “Reset”, when you will be prompted for a confirmation “This will reset your startup page, a new tab page, search engine, and pinned tabs. It will also disable all extensions and clear temporary data like cookies. Your bookmarks, history, and saved passwords will not be cleared”;
- Click on the “Reset Settings” button to confirm the procedure. After that, it may ask to restart your browser, click “Yes”.
Remove Chrome’s policies created by MacRansom Program
If the above reset solution does not work for you, then it may possible that the malicious programs has created policies within the chrome browser. This certainly restricts the unwanted apps, homepage and search engine settings to reset again. The Chrome polices are listed within chrome://policy URL. You can check the unwanted policies created by malicious apps. If this is the case then you need to remove them.
To reset such policies from chrome browser, follow the steps below:
- Open a Terminal window. Go to Finder → Go → Utilities → Terminal;
- Within the Terminal window, execute the following commands one by one. And press enter after each command.
defaults write com.google.Chrome HomepageIsNewTabPage -bool false defaults write com.google.Chrome NewTabPageLocation -string “https://www.google.com/” defaults write com.google.Chrome HomepageLocation -string “https://www.google.com/” defaults delete com.google.Chrome DefaultSearchProviderSearchURL defaults delete com.google.Chrome DefaultSearchProviderNewTabURL defaults delete com.google.Chrome DefaultSearchProviderName defaults delete com.google.Chrome ExtensionInstallSources
- After executing the above commands, launch the Chrome browser again. To check the unknown policies to be removed successfully. Type “chrome://policy” within the address bar and click on “Reload policies”.
- Now, the malicious policies should be gone. After that, you can modify your homepage, new tab and search engine as per your preferences.
NOTE: Last but not the least, if the above solution also does not work for you. Then the malicious programs may have install “Managed by your organization” policy. As a consequence it restricts to remove the unknown extension or homepage even after resetting the browser.
Please follow our guide Remove “Managed by your organization” Chrome Hijack From Mac
Mozilla Firefox Browser
To Remove MacRansom Extension, homepage redirects From Mozilla Firefox Browser, follow steps:
Finally, if you have facing same issues with Firefox browser, then follow the steps to refresh it.
- Open Firefox’s Main Menu button by clicking on three horizontal lines. After that, from the drop-down menu select “Help“;
- Click on the “Troubleshooting Information,“ from the Help menu;
- From the upper-right corner of the “Troubleshooting Information” page, click on the “Refresh Firefox”.
- To confirm, click on the “Refresh Firefox” button, within the confirmation pop-up window.
- Click on the “Finish“ button.
By the time now, your Mac should free from adware and other malicious programs. Most importantly, you should always have a reliable anti-malware with real-time protection features. So, that it can trace the behaviors of unwanted program at its earliest. And quarantine it from being making serious damages.
Double Check for Malicious Files and Enable Safe Browsing Using Intego Internet Security X9
After removing persistent threat MacRansom, it is important to safe guard the browser. So that such browser hijackers may not enter to your browser like Safari, Chrome , Mozilla.
The Intego Internet security X9 not only provides real-time antivirus protection for Macs. But also scans files whenever they’re accessed to keep your Mac free of malware.
Also, it it integrated with “Safe Browsing” feature that configures advanced browser settings that will prevent redirects to malicious or fraudulent sites, fake downloads and warn you if you visit any harmful site.