Ransomware Prevention & Defense – Part 3: macOS Recovery

Getting hit by ransomware is perhaps the biggest bummer ever. Everybody gets a virus now and again. Things get intense as you worry about your identity getting stolen and your bank accounts getting drained; but ransomware is a completely different deal. Despite the fact that many ransomware links look very realistic, nothing is more embarrassing than ransomware.  YOU have to initiate the encryption that hijacks your data, by clicking on a link or button, so you actually do it to yourself.  The guilt and remorse and desire to engage the Omega 13 to reverse the whole process so you never click on the link, are so overwhelming you end up spending the next 30 or so minutes asking yourself why you had to click on that thing, when you KNEW it wasn’t a good idea.

Unfortunately, bad things happen to good people.  The best thing you can do is find a way to get past the constant nag of the, “pay me money or I’m going to erase your memories,” screen that you see when you turn on your computer.  Believe it or not, beating ransomware isn’t impossible.  You can do it; but it’s going to require you to do a little bit of prep work in order to make life easier if and when the worst case scenario hits.

The process of prevention and recovery isn’t complicated; but it can be a bit long.  If you’ve been following along at home, we’ve done the following

  1. Prepped our data for backup
  2. Prepped for recovery (by making a bootable USB stick), rebuilt and recovered our Windows PC

Today, we’re going to run the process of making a bootable USB stick for our Mac; and we will use it to rebuild and recover our Mac.  Again, this process is going to be a bit long, and you should follow these steps as closely as possible.  Its going to take a bit, so let’s get to it.

Recovery – Retake Control of your Mac

  1. Realize your Data is GONE and Get Over It – Ransomware will encrypt your entire hard drive. Once the encryption process starts, you can’t stop it. So as soon as you see the screen that tells you your drive is encrypted, you should accept the fact that your data is gone. Don’t try to stop the process, it’s too late. A word to the wise – the police, FBI, Department of Justice or other legal body will NOT reach out and electronically encrypt or lock down your computer.  They cannot legally do that to you.  The Fourth Amendment of the US Constitution prevents illegal search and seizure.  Encrypting your hard drive and locking you out of it without first presenting you with a search warrant (which establishes probable cause that a crime has been committed), violates the Fourth Amendment.
    To address the gorilla in the room, why wouldn’t you pay the ransom, get access to your computer and your data, back it up and THEN move on?
    To be blunt, I wouldn’t trust it.
    Your data has been held hostage by a known malicious agent. At this point, I would treat it as though it were infected with every bug known to man, including trojan horses, keyloggers, worms, and the Black Plague. It’s not to be trusted. At all… I mean, who knows what those data thieves may have done to it while it was under their control? I would also think your OS would be infected with something as well. Your virus scanner (if you have one at this point) wasn’t smart or savvy enough to catch and prevent the ransomware attack before it encrypted your drive.  I wouldn’t trust it to clean your drive, post infection.  Expect part of your clean up activities to include the purchase of a new anti-virus/anti-malware (AV/AM) package.
    So… your data is gone; and I would consider it – and your computer – to be an infected mess.  Get over it and move on. The quicker you accept this, the faster your recovery will be and the quicker you’re going to be up and running.
  2. Make a list of your Applications – any backup disks connected to your machine during infection or after its been infected – like a Time Machine Disk – are likely encrypted, and are a likely point of potential REINFECTION. When you blow your drive, you’ll need to blow this backup disk as well.Make a list of your MUST HAVE applications and keep that list handy.  You may need the list to help insure you reinstall all of your programs after you have the PC rebuilt.
  3. Prepare to Rebuild – Like its PC counterpart, this section is going to be long.
    To be honest – I think, anyway – Mac users are more used to this process than PC users.  Mac users have been using recovery partitions to rebuild their Macs since the introduction of OS X Lion in July of 2011.  However, like I wouldn’t trust it on a Windows 10 PC, I wouldn’t trust the recovery partition on a Mac after a ransomware infection.  Instead, the best thing to do is use a third party app to build a bootable USB drive that we’ll use to install the latest version of macOS for your Mac.  With Macs, it’s a bit easier than with PCs. Apple is the only one that makes a Macintosh computer.  The process is a bit more straightforward than with a PC, where there are hardware, driver and other software differences as diverse as the rainbow.Like its Windows counterpart, this section for your Mac is going to be a bit long; AND like its Windows counterpart, this is a set of instructions that you should complete BEFORE you realize you’ve been infected with malware.  Again, an ounce of prevention is worth a pound of cure.  Let’s get to it…

    1. Download DiskMaker X – DiskMaker X is a third party app that will help you create a macOS installation USB stick.  Once you’ve downloaded the software, mount the disk image and install the software to your Mac.
    2. You’ll need a copy of DiskMaker X for your version of macOS and a copy of the OS that you want to reinstall on your Mac.  You can download both from the link in this step.  Download times for these will vary depending on your internet connection speeds.

      macOS currently uses the App Store and Preferences to download macOS, making it quirky and difficult to download a version of macOS that isn’t current or readily available via the Mac App Store.  If you need to download an older version of macOS, that is NOT the version you are currently using, you can find Apple based (trustable) links, here. I’d stay away from links that aren’t from Apple, unless you trust them.
    3. After you’ve downloaded DiskMaker X, run it. The biggest thing you have to know about DiskMaker X is that its written in Apple Script.  This application behaves a bit differently than other apps. Be ready for it when it starts. It may be a bit quirky; but this app is really good at what it does.
    4. After starting, the app looks for a copy of a macOS installer. It starts its search in both Macintosh /Users/<UserDirectory>/Applications and in /Users/<UserDirectory>/Downloads.  However, it will search for an installer in all connected drives.

      If you wish to use the copy that the app discovered, click the Use this copy button.  If you wish to use a different installer, click the Use another copy… button and navigate to, and select the installer you wish to use.
    5. If you’re like me, you’ve got a set of USB sticks that you use as boot drives to rebuild your machines when you need to.  If you’re upgrading your stick to a new OS version; or if you’ve used it before, and are remaking, rebuilding or refreshing it, you’ll see the following dialog box.
      Click the appropriate button to continue. I updated USB stick, so I clicked Update this volume.
    6. DiskMaker X support Dark Mode; but you have to make that selection midway through the process; and then it won’t kick in until this point.
      I stuck with Light Mode. My eyes aren’t great, and the macOS Menu Bar, especially in current and upcoming versions of macOS don’t handle text well when the Menu Bar is any other color but light.
    7. At this point, you’ll be prompted for elevated privilages.  DiskMaker X needs admin rights to get everything done.  So here, you’re informed…

      Here, you’re administrator password will be required.  Have it handy.

    8. You’ll be asked what kind of USB stick you’re going to use.  There are a couple of helpful hints in this dialog box. Make sure you read this one.  I chose the highlighted button – An 8GB USB thumb drive (ERASE ALL DISK).

      After you select and click the appropriate button here, The app seems to disappear.  Trust me, it hasn’t. Its working in the background.
    9. As DiskMaker X does its thing, you’ll see notifications pop up and report on DiskMaker X’s progress. If its important, you’ll see a notification.

      As the disk builds, you’ll see the app’s progress. They should come every 5% or so…
    10. Once your thumb drive is completed, you’ll see this Ta-Da! dialog box.  Once you’re done, take it out of the USB port and keep it in a safe place.  You’ll need it for when bad things happen and you need to rebuild your Mac.

      Click the Quit button when you’re all done.
  4. Nuke your Mac and Rebuild – As I said earlier, your recovery partition is untrustable. Don’t use it to rebuild your Mac.  When you realize you have ransomware, follow these steps to use the USB stick to rebuild your Mac.
    1. Turn off your Mac.  The machine isn’t usable anyway.  If its on, turn it off.
    2. Insert the DiskMaker X USB Stick into an available USB port.  If its a USB-C/TB3 only Mac, use a hub or some other attachment, like the HyperDrive for MacBook Pro.
    3. Press and hold down the left Alt/Option key and press the power button to start your Mac. Your Mac should restart with a menu that allows you to pick the USB stick as a boot drive.
    4. Start your Mac from the USB Stick. Select the USB stick and press the Enter key. Your Mac should boot from the USB Stick and open to a set of utilities that will allow you to prep your Mac for reinstallation of
    5. Erase your Mac’s Boot Drive. Get rid of it. Its infected.
    6. Erase your Mac’s Time Machine Disk. Get rid of it. Its likely infected too; and you don’t want to take a chance of getting reinfected with it.
    7. Reinstall macOS.  Reinstall macOS on your Mac’s boot drive.
    8. Finish macOS Setup.  Finish the installation and get back to the macOS desktop.


You’ve got ransomware and your Mac is infected.  You’ve decided not to pay the ransom as paying doesn’t insure that it won’t reinfect your computer; or that there isn’t additional malware scattered through out your computer’s hard drive.

If you’ve done your homework – for your Mac – you can build a USB stick that can get you back up and running. Let’s recap this process very quickly. It’s going to be a bit different for our friends running Windows.

  1. Download DiskMaker X. Use it to create a bootable USB stick that will reinstall macOS on your Mac.
  2. Boot from the USB stick. Hold down the left Option key during the boot sequence and then choose the USB stick as a boot drive.
  3. Erase Your Time Machine and Boot Drive.  Once you’re running from the USB stick, erase both your boot drive and your Time Machine drive. Both are infected with ransomware and need cleansing.
  4. Reinstall macOS. After both drives are erased, reinstall macOS from the USB stick and complete setup.

If you got ransomware on your Mac and you’re back up and running now, hang tight. We’ve got to get our data restored; and then (on your Mac) reinstall any apps that might be missing.

%d bloggers like this: