Ransomware is still a huge threat for small and medium sized businesses, enterprise organizations, and individuals. New threats are emerging and existing threats are evolving faster than ever before. People who previously thought they were protected by using a Mac instead of a PC are in for a rude awakening – instances of Mac malware increased 744% in 2016. This has been partially due to cyber criminals using new backdoor methods to infiltrate devices and an increase of malicious programs in the app store.

Reports of Mac malware increased 744% in 2016.

Mac Malware 2017

Since January 1st, there have already been three major Mac malware programs uncovered. These programs teach us:

  • Mac malware may have been lurking behind the scenes for longer than we realized
  • Paying ransom doesn’t guarantee decryption
  • Major phishing campaigns are starting to be distributed to Mac users


Discovered by an IT admin who noticed some unusual network traffic, this Mac malware targeted biomedical research centers. The program itself used antiquated code and took advantage of features that haven’t been included in OS updates since OSX Yosemite. It’s possible that this Mac malware has been around for years, copying and distributing confidential information.

The antiquated code used in Fruitfly indicates that it may have been lurking for a while before it was discovered.

This program uses two different files to communicate with a remote server and a control server. It is able to take and send screenshots undetected, giving hackers visibility over confidential information. Some versions could also access the webcam and take control of the mouse remotely. Although it isn’t totally clear how Machines were infected, it is highly likely that email was the distribution method — since 97% of malware is delivered via email.


FindZip Mac malware was disguised as an Adobe Premiere Pro/Microsoft Office patch. This Mac malware seems to have been mainly distributed via advertisements on piracy websites, but a similar type of malware could easily be delivered via email.

For most users, once the advertisement is clicked, a security warning appears. Since the creator doesn’t have an Apple developer certificate, MacOS displays a warning and won’t automatically open the file without a password. Macs include these quarantine features to protect against malicious software like this. Unfortunately, people who use piracy sites often modify their computer settings to download all types of software, and therefore will not receive the security warning. Without the quarantine flags set up, the malware begins downloading. When downloading is complete, it opens a transparent window with the message “Press START to begin patching Office 365.” Once victims click “START” there is no going back, the software begins encrypting files but shows a message that it is “patching”.

Once the “patching” is complete the malware informs the victim that all of their files have been encrypted. The pop-up window displaying the message includes instructions on how to retrieve their files by delivering the ransom payment. Unfortunately, it seems that the decryption key has never been released – even to the cybercriminals – so many people pay the ransom and are still unable to access their files.

Remember, paying the ransom doesn’t guarantee that the cybercriminal will do anything to return your files to you.


Newly discovered DOK is one of the first Mac malwares to be involved in a large-scale phishing campaign. DOK is delivered via phishing emails that claims there are inconsistencies with the victim’s tax returns and they must open the attached file to review them.

Once the victim clicks the malicious zip file, the malware:

  1. Installs and copies itself into the users/shared files as a “:loginitem” so it automatically boots whenever the computer starts until payload installation is complete
  2. Generates a pop-up window informing the user that a security issue has been detected but an update is available
  3. Prompts the user to enter their administrative password to install the update
  4. With admin privileges granted, the malware changes the network settings so all web traffic goes through a proxy server allowing cybercriminals to view and alter any web pages the victim searches
  5. Automatically deletes itself once the proxy settings have been altered in an attempt to evade anti-virus and malware detection programs

One of the key factors that allows this Mac malware to work is that the developer is Apple certified, so victims aren’t prompted to check the applications authenticity before running it.

Defend Against Mac Malware with Advanced Email Security

It is clear that Mac users are no longer protected from the threat of cybercrime by simply using a Mac. Experts predict that there will be more instances and variations of Mac malware throughout 2017. You need to defend your organizations against these threats to ensure that major data breaches won’t occur. You need advanced email security from Vade Secure.

Our multi-layered approach uses artificial intelligence to analyze a variety of behavioral and technical factors, plus the content within attachments, to ensure that emails are safe before entering into your employees’ inboxes. By using AI-backed email security, we can protect against known and unknown threats.

We defend your organization against:

Ready to protect your organization with advanced email security? Contact us today for a demo or proof of concept.