- #RANSOMWARE ON MAC COMPUTERS UPDATE#
- #RANSOMWARE ON MAC COMPUTERS PATCH#
- #RANSOMWARE ON MAC COMPUTERS FULL#
- #RANSOMWARE ON MAC COMPUTERS SOFTWARE#
- #RANSOMWARE ON MAC COMPUTERS CODE#
One theory that is becoming more popular as researchers keep analyzing the code was that ThiefQuest started out as a regular infostealer, but was later expanded into ransomware with a low-quality file-encryption module that ended up destroying user files. This means that any victims who pay won't likely receive a decryption key to recover their files, as there is no way for the ThiefQuest group to say who paid and who didn't.Īll victims infected by this point should consider their data lost forever, unless researchers find a way to break the encryption and recover their files.Īt the time of writing, security researchers couldn't say for sure if ThiefQuest was created as a ransomware from the get-go, or if the ransomware module was added later, on top of another existing remote access trojan. "However, Chrome will see that the files have been modified, and will replace the modified files with clean copies as soon as it runs, so it's unclear what the purpose here is."įurthermore, researchers also noted that the ThiefQuest also doesn't include a method through which victims could contact the ransomware authors, or a method through which the malware authors could track payments.
#RANSOMWARE ON MAC COMPUTERS PATCH#
"These files had the content of the patch file prepended to them, which of course would mean that the malicious code would run when any of these files is executed," Reed said.
#RANSOMWARE ON MAC COMPUTERS UPDATE#
In his own analysis of ThiefQuest, Reed also noted that the ransomware also attempts to modify files specific to Google Chrome's update mechanism, and use the files as a form of persistence on infected hosts. datĪfter the encryption process ends, the ransomware installs a keylogger to record all the user's keystrokes, a reverse shell so the attacker can connect to the infected host and run custom commands, and will also look to steal the following types of files, usually employed by cryptocurrency wallet applications. Stokes told ZDNet the ransomware will encrypt any files with the following file extensions:
The victim is directed to open a ransom note in the form of a text file that has been placed on their desktop, which looks like the one below: Once the file encryption scheme ends, a popup is shown to the user, letting the victim know they've been infected and their files encrypted. Wardle, who published an in-depth technical analysis of ThiefQuest earlier today, said the malware is pretty straightforward, as it moves to encrypt the user's files as soon as it's executed. However, Reed told us he believes the ransomware is most likely more broadly distributed, leveraging many more other apps, and not just these three. Russian forum spreading pirated macOS app infected with OSX.EvilQuest
#RANSOMWARE ON MAC COMPUTERS SOFTWARE#
Reed told ZDNet in a phone call today that Malwarebytes found ThiefQuest hidden inside pirated macOS software uploaded on torrent portals and online forums, such as a pirated version of music production app Ableton, DJ mixing software Mixed In Key, and security tool Little Snitch. However, new evidence surfaced in the meantime has revealed that EvilQuest has been, in reality, distributed in the wild since the start of June 2020. ThiefQuest is distributed via pirated softwareīut the researcher who first spotted the new ThiefQuest ransomware is K7 Lab security researcher Dinesh Devadoss.ĭevadoss tweeted about his finding yesterday, June 29. Reed and Stokes are currently looking for a weakness or bug in the ransomware's encryption scheme that could be exploited to create a decryptor and help infected victims recover their files without paying the ransom. Others who are also investigating EvilQuest include Thomas Reed, Director of Mac & Mobile at Malwarebytes, and Phil Stokes, macOS security researcher at SentinelOne. Wardle is currently one of the many macOS security researchers who are analyzing this new threat. This means that even if victims paid, the attacker would still have access to their computer and continue to steal files and keyboard strokes.
#RANSOMWARE ON MAC COMPUTERS FULL#
"Armed with these capabilities, the attacker can main full control over an infected host," said Patrick Wardle, Principal Security Researcher at Jamf. Named OSX.ThiefQuest (or EvilQuest), this ransomware is different from previous macOS ransomware threats because besides encrypting the victim's files, ThiefQuest also installs a keylogger, a reverse shell, and steals cryptocurrency wallet-related files from infected hosts. Security researchers have discovered this week a new ransomware strain targeting macOS users. Google Drive alternative: Decentralized and encrypted