Mac users are now exposed to a new “EvilQuest” ransomware that encrypts files and causes multiple issues to the operating system. Malwarebytes has analyzed the ransomware today, which is being distributed through macOS pirate apps.
The malicious code was first found in a pirate copy of the Little Snitch app available on a Russian forum with torrent links. The downloaded app comes with a PKG installer file, unlike its original version.
By examining this PKG file, Malwarebytes discovered that the app comes with a “postinstall script,” which is typically used to clean up the installation after the process is completed. In this case, however, the script implements the malware to the macOS.
The script file is copied to a folder related to the Little Snitch app under the name CrashReporter, so the user won’t notice it running in the Activity Monitor since macOS has an internal app with a similar name. The set location is: /Library/LittleSnitchd/CrashReporter.
Malwarebytes notes that it takes some time before the ransomware starts working after it’s installed, so the user won’t associate it with the last installed app. Once the malicious code is activated, it modifies system and user files with unknown encryption.
Part of the encryption causes the Finder not to work properly and the system crashes constantly. Even the system’s Keychain gets corrupted, so it’s impossible to access passwords and certificates saved on the Mac. A message on the screen says the user must pay $50 to recover its files, otherwise everything will be deleted after three days.
There’s still no way to get rid of malware after it has encrypted the files, so users should keep an updated backup of everything.
The best way of avoiding the consequences of ransomware is to maintain a good set of backups. Keep at least two backup copies of all important data, and at least one should not be kept attached to your Mac at all times. (Ransomware may try to encrypt or damage backups on connected drives.)
Although the ransomware is only included with pirated apps for now, Apple must fix this security flaw as quickly as possible since this malicious code can be included in more apps.
You can read more technical details about EvilQuest on Malwarebytes’ website.
FTC: We use income earning auto affiliate links. More.