There is a new variant of Mac ransomware ‘EvilQuest’ that is spreading through hacked Mac applications, according to a new report shared today by Malwarebytes. The new ransomware was found in a hacked download for the Little Snitch app found on a Russian forum.
/article-new/2020/06/evilquestransomalert.jpg?resize=618%2C465&ssl=1){kind=spacer}
From the point of download, it was clear that something was wrong with the illicit version of Little Snitch, since it had a generic installation package. You installed the real version of Little Snitch, but you also installed an executable file called “Patch” in the / Users / Shared directory and a post-installation script to infect a machine.
The installation script moves the Patch file to a new location and renames it CrashReporter, a legitimate macOS process, keeping it hidden in Activity Monitor. From there, the Patch file is installed at various points on the Mac.
The ransomware encrypts the settings and data files on the Mac, such as Keychain files, which generates an error when trying to access the iCloud keychain. The Finder also malfunctioned after installation, and there were issues with the dock and other applications.
Malwarebytes discovered that the ransomware malfunctions and was unable to obtain instructions on how to pay the ransom, but a screenshot found in the forums where the malicious software originated suggests that it is intended to ask users to pay $ 50 to regain access. to your files. Note: anyone infected with this ransomware or any ransomware should not pay the fee, as it does not remove the malware.
Along with the rescue activity, the malware may also install a keylogger to monitor keystrokes, but what the malware does with the functionality is unknown. Malwarebytes says that their Mac software can remove ransomware, detected as Ransom.OSX.EvilQuest. However, encrypted files will require a restore from a backup.
Similar ransomware was found in other hacked apps, and Mac users can avoid it by staying away from hacked apps and unreliable websites and forums offering illicit downloads.
.
