New Mac Ransomware Hidden in Pirated Software

Security researchers are warning of new Mac ransomware spread via pirated software on torrent and similar sites.

Malwarebytes director of Mac and mobile, Thomas Reed, explained that the EvilQuest malware is now dubbed “OSX.ThiefQuest” to avoid confusion with a 2012 gaming title.

He was first alerted to the ransomware hidden in a legitimate-looking edition of macOS firewall Little Snitch and uploaded to a Russian torrent site. However, it has subsequently been found in an installer for DJ software Mixed In Key 8 and will “undoubtedly” be hidden in other pirated software, Reed claimed.

“The malware wasn’t particularly smart about what files it encrypted, however,” he continued. “It appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in post-encryption.”

Other researchers have indicated that the ransomware also contains a keylogger, due to the presence of calls to system routing CGEventTapCreate, and even steals any cryptocurrency wallet-related files it finds. The malware also opens a reverse shell to communicate with a command and control (C&C) server, Reed explained.

Once complete, the pop-up message demands $50 from the victim to recover their files. As of yet there is no decryption key available, although Reed said that researchers are working on trying to understand what kind of encryption the malware uses and whether it can be cracked, like the FindZip Mac variant.

In the meantime, he recommended best practice backups and effective AV as the main way to mitigate the threat.

“The best way of avoiding the consequences of ransomware is to maintain a good set of backup ..

Support the originator by clicking the read the rest link below.