This article is more than 1 year old

Things that happen every four years: Olympic Games, Presidential elections, and now new Mac ransomware

EvilQuest targets Mac pirates, poses as legit network security and music tools

Security bods are sounding the alarm following the discovery of a rare brand-new strain of Mac ransomware.

Known as EvilQuest, the software nasty was spotted spreading via Russian piracy and torrent sites. The team at infosec outfit Malwarebytes told The Register on Tuesday the malware is the first new piece of macOS ransomware it has detected in the past four years.

Malwarebytes director of Mac and Mobile Thomas Reed said in one sample he analyzed, the malware posed as an installer for the legit, and highly useful, network monitoring tool Little Snitch. EvilQuest has also been spotted pretending to be music-making suite Ableton Live and tuning software Mixed in Key. K7 threat researcher Dinesh Devadoss also reported discovering the ransomware masquerading as a Google software update.

In each case, it appears the ransomware's author simply injected their code into an otherwise legitimate installer. Running the tainted installer code begins the infection process, and after checking whether or it's running in a virtual machine, and for the presence of debugging or antivirus tools, the file-scrambling ransomware starts, albeit on a time delay.

"It’s not unusual for malware to include delays. For example, the first ever Mac ransomware, KeRanger, included a three-day delay between when it infected the system and when it began encrypting files," Reed explained. "This helps to disguise the source of the malware, as the malicious behavior may not be immediately associated with a program installed three days before."

Once the delay runs out – the length of which isn't yet confirmed – the malware begins the process of encrypting files in advance of presenting the victim with a $50 (£40) ransom demand.

Fortunately, the ransomware doesn't appear to be particularly good at its job, and whoever wrote it left in a number of bugs and sloppy coding that can tip off savvy users that something is amiss.

FBI agent on a phone

University of California San Francisco pays ransomware gang $1.14m as BBC publishes 'dark web negotiations'


"The malware wasn't particularly smart about what files it encrypted, however. It appeared to encrypt a number of settings files and other data files, such as the keychain files," said Reed. "This resulted in an error message when logging in post-encryption."

At the same time, the author appears to have ambitions beyond just getting a ransom payout. The malware also has the ability to connect to a command-and-control server, and could add other malware modules.

Little Snitch developer, and macOS security guru, Patrick Wardle noted that in addition to the ransomware components, the malware also appears to have some limited keylogging ability, can possibly run purely in memory (thus making an infection a little more difficult to detect as it doesn't touch any storage) and has the ability to search for and exfiltrate wallet and keys to outside systems.

"Finally, the malware may also try to create a reverse shell if certain preconditions are met," said Wardle. "Armed with these capabilities the attacker can maintain full control over an infected host."

Other than running decent antivirus tools, and not downloading stuff from shady pirate sites and torrents, Reed recommends users protect themselves by maintaining multiple offline backups, so that they can simply wipe and restore their Mac should ransomware strike.

"Keep at least two backup copies of all important data, and at least one should not be kept attached to your Mac at all times," said Reed. "Ransomware may try to encrypt or damage backups on connected drives." ®

More about


Send us news

Other stories you might like