How to Recover From a Ransomware Infection on Mac

Isolate the Mac, restore from Time Machine or iCloud, and decide whether to wipe and reinstall macOS.

6 min read · Beginner friendly

Step 1: Isolate the Mac

1. Disconnect from Wi-Fi and Ethernet immediately to stop spread to other devices
2. Disconnect any external drives or Time Machine drives
3. Do not pay the ransom — it funds further attacks and rarely results in recovery

Step 2: Restore from a clean backup

• Time Machine: boot into Recovery (Apple Silicon: hold power → Options) and use Restore from Time Machine
• iCloud: documents synced before infection are recoverable from iCloud.com
• Restore only files, not system or app folders, to avoid re-infection

Step 3: Wipe and reinstall macOS

If no clean backup exists, the safest option is a clean reinstall:

1. Boot into macOS Recovery
2. Choose Disk Utility → Erase the internal disk (APFS, GUID)
3. Quit Disk Utility and choose Reinstall macOS
4. Set up as new — do not restore from the infected backup