New Mac Ransomware Spreads Through Pirated Software

New Mac Ransomware Spreads Through Pirated Software

162 - New Mac ransomware has been discovered by people at Malwarebytes. According to reports, it is a variant of the "EvilQuest" ransomware that spreads through pirated Mac applications.

The team found the ransomware after Twitter user @beatsballert sent a message to them about the pirated Little Snitch application on a Russian forum, which distributed torrent links. Analyzing the installer, researchers at Malwarebytes found it was not only malware but new ransomware.

Just by looking at the installer, the team was doubtful because it had a generic installer package. Unexpectedly, the package did install the actual Little Snitch but side by side, it installed an executable file called "Patch" and a post-install script. Although the installer usually includes post-install scripts, here the scripts are bundled with malware.

After running the script, the patch quickly moves to a different location and calls itself "CrashReporter" which is a known macOS process. From there, the patch injected itself into several other areas. The team noted that some applications were not functioning; however, ransomware mainly encrypts Keychain files and other data files. Then, it asks the user to pay $ 50 to unlock the file.

macos evil quest

Of course, a $ 50 fee does not remove malware, but interestingly, there are no clear instructions on how to pay the ransom in the first place. According to the report, malware sometimes installs a keylogger too; However, its function is unknown. Malwarebytes detects the malware as "Ransom.OSX.EvilQuest" and infected files can be recovered with a previous backup.

We advise users to avoid pirated applications for Mac because they can carry ransomware or other similar malware.

Keywords: ransomware, mac ransomware, new ransomware


Prev Post: