Mac 'EvilQuest' ransomware can steal your data — what to do [updated]
Mac 'EvilQuest' ransomware can steal your data — what to practice [updated]
Updated July viii with availability of a ransomware decryptor, plus new evidence almost the ransomware's true intentions. This story was initially published July one, 2020.
Several security researchers are warning of a new type of Mac ransomware that doesn't charge much, simply may also exist secretly pilfering files from unsuspecting users.
The EvilQuest ransomware, discovered past K7 Lab'southward Dinesh Devadoss on Monday (July 29) and subsequently examined past cybersecurity firm Malwarebytes, among others, seems to exist circulating on torrent forums where pirated software is often establish. (Information technology's not articulate who came up with the EvilQuest name.)
- The all-time antivirus apps to proceed all your devices safe
- Best VPN: add together an extra layer of security with a virtual individual network
- Only In: Fake post-office apps are trying to steal your money
"A post offered a torrent download for Little Snitch, and was shortly followed by a number of comments that the download included malware," explained Thomas Reed of Malwarebytes in a blog post yesterday (June 30). "In fact, nosotros discovered that not but was it malware, but a new Mac ransomware variant spreading via piracy."
Tricking victims
The version of EvilQuest that Reed saw was masquerading as a legitimate torrent installer for Piffling Snitch, an app that provides network-monitoring capabilities for MacOS.
Reed said that while LittleSnitch was normally "attractively and professionally packaged," this version was instead "a simple Apple tree installer package with a generic icon."
Withal, information technology did comprise a working installation of LittleSnitch, packaged alongside a shell script that loads and executes the EvilQuest malware.
EvilQuest has also been found in installers for other apps. Devadoss found information technology masquerading as Google Software Update, while Mac security researcher Patrick Wardle institute it in the DJ app Mixed in Key. Reed himself noticed one version mimicking music-making software Ableton Alive.
- More: Certain your Apple tree device is secure? Check out what a Mac VPN offers
Debugging capabilities
As before long equally the installer has been downloaded and executed, the malware begins infecting the victim'south device. Like many contempo malware strains, EvilQuest is even able to find out if it'south running on a virtual device or if debugging tools are running.
The malware tin likewise detect whether an infected device is using anti-malware applications from companies like Kaspersky and security apps such every bit Trivial Snitch, as per a report by Bleeping Computer.
Reed warned: "Once the infection was triggered by the installer, the malware began spreading itself quite liberally around the difficult bulldoze."
Next, the malware volition observe out the details of the control and command server via http://andrewka6.pythonanywhere[.]com/ret.txt so that it tin download and and so encrypt files from an infected device.
Bitcoin ransom fee
To regain admission to the encrypted files, victims are asked to pay a ransom of $fifty in bitcoins -- a pittance compared to the large sums ransomware crooks often demand -- and take a timeframe of 72 hours. Unfortunately, there's no way to contact the crooks later on the ransom has been paid then that your files will be freed.
Bleeping Computer's Lawrence Abrams thinks the ransomware office -- which "didn't work very well," according to Malwarebytes' Reed -- may just be a ruse.
Abrams dipped into the code and discovered that EvilQuest plunders the Users binder on a Mac, looking for images, PDFs, backup files, databases, cryptocurrency wallets and Word, Excel and PowerPoint files. The malware then exports copies of those files, every bit long as they're under 800KB in size, to its command-and-control server.
To avert infection by EvilQuest, or indeed any Mac malware, be sure to run i of the best Mac antivirus programs. It probably wouldn't hurt to besides install Wardle's RansomWhere utility, which is gratis (although Wardle does take donations).
Reed recommended backing up your files to take spares on hand in example ransomware does attack.
"The all-time fashion of avoiding the consequences of ransomware is to maintain a good set of backups," he wrote in the Malwarebytes blog post. "Keep at least two backup copies of all of import information, and at least one should not be kept attached to your Mac at all times. (Ransomware may endeavor to encrypt or damage backups on continued drives.)"
"I personally have multiple difficult drives for backups. I use Time Machine to maintain a couple, and Carbon Copy Cloner to maintain a couple more. One of the backups is always in the safe deposit box at the bank, and I swap them periodically, so that worst instance scenario, I always have reasonably recent data stored in a safe location."
Security business firm SentinelOne has created a decryption tool for Macs attacked past the EvilQuest ransomware, at present renamed "ThiefQuest" by many researchers and organizations because at that place was already an online game called EvilQuest (which does wait pretty fun).
Meanwhile, Malwarebytes' Thomas Reed now agrees with Bleeping Computer'due south cess that EvilQuest/ThiefQuest is actually an information-stealer masquerading as ransomware to disguise its true intentions.
Reed noticed that the malware appears to have characteristics of a "wiper" that erases parts or all of a hard disk to cover its tracks. He as well cited fellow researcher Patrick Wardle by noting that EvilQuest/ThiefQuest also resembles a true virus in that it changes the code of legitimate applications in order to propagate itself.
A true virus is "something that has not been seen on Macs since the change from Arrangement 9 to Mac OS 10 10.0," Reed wrote in a blog mail July 7.
- 4th of July sales: The best deals right now
Source: https://www.tomsguide.com/news/mac-ransomware-evilquest
Posted by: jordanuncloyesseen68.blogspot.com
0 Response to "Mac 'EvilQuest' ransomware can steal your data — what to do [updated]"
Post a Comment