Mysterious EvilQuest macOS ransomware spreads through torrents

Mac users who are inclined to turn to torrents to obtain software without paying for it have been warned to be on the lookout for a new strain of ransomware – dubbed EvilQuest by researchers – which is spreading through pirated versions of popular macOS software products.

Discovered in the past few days, EvilQuest has already been dissected by a number of researchers, including Thomas Reed of Malwarebytes and Patrick Wardle of Objective-See and Jamf, who have both detected some strange behaviour.

For example, besides encrypting its victims’ files, EvilQuest also installs a keylogger and a reverse shell to a command-and-control (C2) server and is able to steal any files it finds related to cryptocurrency wallets.

Wardle wrote: “Armed with these capabilities, the attacker can main full control over an infected host.” This means that even if victims pay the ransom to decrypt their files – which appears to be set at $50 in bitcoin – the cyber criminals maintain access to their system and can continue other activities.

James McQuiggan, a security awareness advocate at KnowBe4, said: “It was only a matter of time before ransomware targeting macOS X became available in the wild, and it’s not a simple ransomware attack. Not only will the attack make your data unavailable, but it also contains other malware to steal credentials and other remote access functionality.”

EvilQuest also appears somewhat reluctant to actually encrypt files, according to Reed, who said it took him resetting the system clock on his sandbox machine three days ahead to get it to begin its work – possibly an obfuscation technique designed to make it harder to track its source.

“The malware wasn’t particularly smart about what files it encrypted, however,” he wrote in his disclosure blog. “It appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in post-encryption.

“Although others have reported that a file is created with instructions on paying the ransom, as well as an alert shown, and even text-to-speech used to inform the user they have been infected with ransomware, I was unable to duplicate any of these, despite waiting quite a while for the ransomware to finish.”

Reed said there were still a number of questions he had been unable to answer, such as what kind of encryption EvilQuest uses, whether it is secure or quite easy to crack, and whether it is reversible.

“If your files get encrypted, we’re not sure how dire a situation that is,” he wrote. “It depends on the encryption and how the keys are handled. It’s possible that further research could lead to a method for decrypting files, and it’s also possible that won’t happen.”

The investigation into EvilQuest continues, but Reed cautioned that if you find yourself infected by it – it can already be detected by Malwarebytes’ Mac service – you will want to be rid of it as quickly as possible before it can cause too much damage.

“The best way of avoiding the consequences of ransomware is to maintain a good set of backups,” wrote Reed. “Keep at least two backup copies of all important data, and at least one should not be kept attached to your Mac at all times. If you have good backups, ransomware is no threat to you. At worst, you can simply erase the hard drive and restore from a clean backup.”

KnowBe4’s McQuiggan said the emergence of increasing numbers of malware strains targeting Apple devices was a source of concern. “For years, macOS has provided a secure and private system for its end-users,” he said. “Cyber criminals are taking advantage of access to the system to enable the keyloggers to capture user credentials and passwords, which may not be evident via other attack methods.

“If this ransomware or any other ransomware impacts users, it is critical to format the system after recovering the data to avoid additional infections. With the data recovered either from backup or paying the ransom, it may provide a false sense of relief that the encryption is gone. However, cyber criminals may leave additional files undetectable by anti-malware systems and could result in further unauthorised access or data theft.”