Mac users are now exposed to a new “EvilQuest” ransomware that encrypts files and causes multiple problems for the operating system. Malwarebytes has analyzed the ransomware today, which is distributed through hacked macOS applications.
The malicious code was first found in a pirated copy of the Little Snitch app available on a Russian forum with torrent links. The downloaded application comes with a PKG installer file, unlike its original version.
Upon examining this PKG file, Malwarebytes discovered that the application comes with a “post-installation script”, which is generally used to clean up the installation once the process is complete. In this case, however, the script implements malware for macOS.
The script file is copied to a folder related to the Little Snitch application named CrashReporter, so the user will not notice that it is running in Activity Monitor since macOS has an internal application with a similar name. The set location is: / Library / LittleSnitchd / CrashReporter.
Malwarebytes points out that it takes some time before the ransomware starts working after its installation, so the user will not associate it with the last installed application. Once the malicious code is activated, it modifies the system and user files with unknown encryption.
Some of the encryption causes the Finder to malfunction and the system constantly crashes. Even the system keychain gets corrupted, making it impossible to access passwords and certificates saved on Mac. A message on the screen says user must pay $ 50 to recover their files, otherwise everything will be deleted after three days.
There is still no way to get rid of the malware after it has encrypted the files, so users should keep an updated backup of everything.
The best way to avoid the consequences of ransomware is to keep a good set of backup copies. Keep at least two backup copies of all important data, and at least one should not be kept attached to your Mac at all times. (Ransomware may try to encrypt or damage backups on connected drives.)
Although ransomware is only included with hacked apps at the moment, Apple should fix this security flaw as quickly as possible as this malicious code can be included in more apps.
You can read more technical details about EvilQuest on the Malwarebytes website.
FTC: We use automatic affiliate links that generate income. Plus.
Check out 9to5Mac on YouTube for more Apple news:
