Viruses are uncommon enough on Apple’s platforms that users generally don’t worry about them, but security researchers this week discovered a rarity — Mac ransomware that’s both spreading in the wild and potentially dangerous because of the way it hides on an infected machine. Disclosed by Dinest Devadoss, Patrick Wardle, and Malwarebytes’ Thomas Reed, the EvilQuest ransomware appears to be spreading through pirated macOS apps, disguising its background processes as Apple’s CrashReporter or Google Software Update.
Downloaded alongside an app such as the packet sniffer Little Snitch or Mixed in Key 8 DJ software, EvilQuest masks itself first as an innocuous “patch” file within the Mac installer, then renames itself to blend in with system tasks that would be running thanks to macOS or Google’s Chrome browser. If the ransomware works, it spreads around the computer’s hard drive, then locks infected files behind a demand for $50 within three days, and a threat that the files will remain encrypted.
However, there are questions as to how well EvilQuest actually functions on its own, and what the full extent of its capabilities are. A key logger has been discovered within the ransomware, but the encryption system is still somewhat unknown.
For the time being, it appears that the only way to infect a Mac with EvilQuest is to download certain pirated applications, which provides a simple mechanism to stop the ransomware from spreading: Don’t pirate software. Users who think they might be infected can use Malwarebytes’ Mac app to remove it, and the firm suggests keeping “at least two backup copies of all important data,” one detached from the Mac at all times to avoid attacks on connected drives.
Update on July 7 at 11:00 a.m. Pacific: The researchers have subsequently renamed EvilQuest to ThiefQuest, and now say further examination of ThiefQuest’s code suggests that it’s an exfiltration virus rather than ransomware. According to the researchers, ThiefQuest can transfer a Mac’s files over the internet, as well as logging keystrokes and opening a back door for remote control, but its ransom-related code does not appear to be fully functional. Previously identified tools are still believed to be effective at removing the virus, apparently leaving the Mac undamaged.