New Mac Ransomware Hidden in Pirated Software

Written by

Security researchers are warning of new Mac ransomware spread via pirated software on torrent and similar sites.

Malwarebytes director of Mac and mobile, Thomas Reed, explained that the EvilQuest malware is now dubbed “OSX.ThiefQuest” to avoid confusion with a 2012 gaming title.

He was first alerted to the ransomware hidden in a legitimate-looking edition of macOS firewall Little Snitch and uploaded to a Russian torrent site. However, it has subsequently been found in an installer for DJ software Mixed In Key 8 and will “undoubtedly” be hidden in other pirated software, Reed claimed.

“The malware wasn’t particularly smart about what files it encrypted, however,” he continued. “It appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in post-encryption.”

Other researchers have indicated that the ransomware also contains a keylogger, due to the presence of calls to system routing CGEventTapCreate, and even steals any cryptocurrency wallet-related files it finds. The malware also opens a reverse shell to communicate with a command and control (C&C) server, Reed explained.

Once complete, the pop-up message demands $50 from the victim to recover their files. As of yet there is no decryption key available, although Reed said that researchers are working on trying to understand what kind of encryption the malware uses and whether it can be cracked, like the FindZip Mac variant.

In the meantime, he recommended best practice backups and effective AV as the main way to mitigate the threat.

“The best way of avoiding the consequences of ransomware is to maintain a good set of backups. Keep at least two backup copies of all-important data, and at least one should not be kept attached to your Mac at all times (ransomware may try to encrypt or damage backups on connected drives),” Reed concluded.

“I personally have multiple hard drives for backups. I use Time Machine to maintain a couple, and Carbon Copy Cloner to maintain a couple more. One of the backups is always in the safe deposit box at the bank, and I swap them periodically, so that worst case scenario, I always have reasonably recent data stored in a safe location.”

What’s hot on Infosecurity Magazine?