Does FileVault protect against ransomware?
I've already asked a question about ransomware on OS X in general. But I failed to get a response regarding whether FileVault protects against it. That is what this question is about. I'm also interested to know whether encrypted Time Machine backups are safe from ransomware.
Ransomware here is defined as malicious software that encrypts the user's data against their will/knowledge and demands a ransom in exchange for the encryption key.
We'll look at three examples:
The malware is running without superuser privileges. The unwitting user may just have ran a compromised/malicious app that they believed was something else, and then let it run in the background for long enough to do damage.
The malware is running with superuser privileges. The user, believing the software to be something else, has granted it root access by giving the root password. The user may even have installed the software by giving the root password.
The user didn't run any app at all, the malware managed to run in some other way. (Is this even possible on OS X?)
In cases 1 and 2 the user would have turned off OS X's "trusted sources only" setting. (Side question: Is it at all possible to be affected by ransomware while this setting is on?)
Looking at 1., 2. and 3. separately, can the malware:
A: Access FileVault protected data?
B: Modify/Delete FileVault protected data?
C: (A combination of A and B) Encrypt FileVault protected data and overwrite (securely delete) the original FileVault data)?
Is there any difference between locally stored FileVault protected data, and encrypted Time Machine backups stored on another drive? I'm also interested in the answer regarding the latter.
Solution 1:
Ransomware works by selecting certain files (normally by type - like docs, bitcoin wallets, etc), encrypting those individual files and forcing you to pay up for a key to decrypt them.
FileVault protects your data on your Mac by encrypting the whole disk. When you boot up your Mac, you put in a password that effectively "decrypts" the drive and allows it to run as-is. That said, once you've put the key in the lock, so to speak, FileVault wouldn't be protecting you from ransomware. You'd still be just as vulnerable as the ransomware would be running after FileVault had been unlocked.
As for the Time Machine backups, this is more complicated. Those backups are stored encrypted at rest, and only decrypted when they're accessed. This means the files inside the backups themselves would not be individually identifiable to ransomware that was running - however the entire backup could be. So the ransomware could encrypt the whole thing as a unit, instead of just the individual files.
As for OSX's "trusted sources" setting, there have been multiple exploits against this feature as of late and it's not as trustworthy as it seems. I couldn't say for certain it wouldn't protect you, but I wouldn't count on it.
I'd recommend some kind of cloud-based or off-computer backup if you really want to protect your data running through a third party application. In other words, don't connect to a network share and backup your data there, use an application to do it. It's unlikely that ransomware would be sophisticated and specific enough to know about specific backup applications, how they connect to their third party service, and how to encrypt the files on that service. Dropbox is a simple example here if you pay for their cloud backup service -- even if the ransomware did encrypt your files in Dropbox, they keep versions backed up so you'd have something to revert to.