Ransomware

Ransomware is malware that encrypts a victim’s files — and often their connected backups — then demands payment, usually in cryptocurrency, in exchange for the decryption key.

Modern ransomware families don’t just hit the documents folder. They enumerate mounted volumes, network shares, and any cloud storage that looks writable from the infected user’s session; some also exfiltrate data first and threaten to publish it (“double extortion”). The defense that actually works is immutable storage: backup copies the attacker cannot overwrite, delete, or re-encrypt even with valid credentials, because the storage layer itself refuses destructive operations until a retention clock expires.

macOS was historically a quiet target, but that changed. LockBit shipped a macOS build in 2023, and 2024–2025 saw active families — including Cthulhu Stealer, Atomic macOS Stealer, and ransomware delivered through cracked-app installers — specifically targeting Apple Silicon Macs. The old advice that “Macs don’t get malware” is retired; professionals handling irreplaceable work should plan as if they’ll be hit.

In macup, ransomware resistance is not a feature flag. Every macup Cloud bucket runs with S3 Object Lock in compliance mode, so snapshots written today cannot be deleted or altered — not by an attacker with your account credentials, not by a support ticket, not by us — until the retention window on that snapshot elapses. Your local machine can be fully encrypted by ransomware and the cloud copy is still intact.