Updated on July 8 with the availability of a ransomware decrypter and new evidence regarding the true intent of the ransomware. This article was originally published on July 1, 2020.
Several security researchers warn about a new type of Mac ransomware that does not charge much.
The EvilQuest ransomware, discovered Monday (July 29) by Dinesh Devadoss of K7 Lab and subsequently investigated by cybersecurity firm Malwarebytes and others, appears to be circulating on torrent forums where pirated software is often found (It is unclear who came up with the name EvilQuest.)
"One post offered a torrent download of Little Snitch and immediately received numerous comments that the download contained malware," Thomas Reed of Malwarebytes explained in a blog post yesterday (June 30) "In fact, we've been told it's malware. "In fact, we have discovered that it is not only malware, but a new Mac ransomware variant that is spreading via piracy."
"The malware is a variant of a new Mac ransomware that is spreading via piracy.
The version of EvilQuest that Reed saw was posing as a legitimate torrent installer for Little Snitch, an app that provides network monitoring for MacOS.
According to Reed, LittleSnitch was usually "an attractive and professional package," but this version was instead "a simple Apple installer package with generic icons."
However, a working installation of LittleSnitch was included and packaged with a shell script that loaded and executed the EvilQuest malware.
EvilQuest has also been found in other app installers; Devadoss found it posing as Google Software Update, and Mac security researcher Patrick Wardle found it in the DJ app "Mixed in Key," which he found included in the software. Reed himself noticed a version that mimicked the music production software Ableton Live.
Once the installer is downloaded and executed, the malware begins infecting the victim's device. Like most modern malware, EvilQuest can even check if it is running on a virtual device and if debugging tools are running.
Bleeping Computer reports that the malware can also detect whether an infected device is using a corporate anti-malware application like Kaspersky or a security app like Little Snitch.
Reed warns: "Once the infection was triggered by the installer, the malware began to spread quite freely around the hard drive.
Next, the malwarehttp://andrewka6.pythonanywhere[.]com/ret.txtを介してコマンド・アンド・コントロール・サーバーの詳細を見つけ出し、感染したデバイスからファイルをダウンロードして暗号化できるようにする。
demands that the victim pay a $50 ransom in bitcoins to regain access to the encrypted files. Unfortunately, after the ransom is paid, there is no way to contact the scammers to have your files released.
Lawrence Abrams of Bleeping Computer thinks it may just be a ruse, since the ransomware part "didn't work very well," according to Malwarebytes' Reed.
Abrams examined the code and discovered that EvilQuest snatched the Users folder on Macs and searched for images, PDFs, backup files, databases, cryptocurrency wallets, Word, Excel, and PowerPoint files. The malware then exports copies of those files to a command-and-control server, as long as the size is less than 800 KB.
To avoid getting infected with EvilQuest, or any Mac malware, be sure to run the best Mac antivirus program. It also wouldn't hurt to install Wardle's RansomWhere utility (although Wardle accepts donations).
Reed recommends backing up your files and having a backup in case ransomware attacks.
"The best way to avoid ransomware damage is to keep a good backup," he wrote in a Malwarebytes blog post. "Keep at least two backup copies of all important data and keep at least one of them disconnected from your Mac at all times. (Ransomware may try to encrypt or corrupt backups on connected drives.)"
"I personally have multiple hard drives for backups, about two with Time Machine and two more with Carbon Copy Cloner. I keep about One of the backups is always in a safe deposit box at the bank and is replaced regularly, so even in the worst case scenario, I always have a reasonably secure place to store new data."
"I personally have multiple hard drives for backup.
Security firm SentinelOne was attacked by the EvilQuest ransomware, renamed "ThiefQuest" by many researchers and organizations because there was already an online game called EvilQuest (which sounds pretty fun) for Mac decryption tool for Macs attacked by the EvilQuest ransomware, renamed "ThiefQuest.
Meanwhile, Thomas Reed of Malwarebytes agrees with Bleeping Computer's assessment that EvilQuest/ThiefQuest is actually an information thief masquerading as ransomware, disguising its true intentions.
Reed noticed that the malware appears to have the characteristics of a "wiper" that erases part or all of a hard disk to cover its tracks. He also cited fellow researcher Patrick Wardle, who noted that EvilQuest/ThiefQuest also resembles a true virus in that it modifies the code of legitimate applications to propagate itself.
A true virus is "something we haven't seen on the Mac since the change from System 9 to Mac OS X 10.0," Reed wrote in a July 7 blog post
.
Comments