Skip to main content

Mac 'EvilQuest' ransomware can steal your data — what to do [updated]

MacBook Pro 16-Inch
(Image credit: Tom's Guide)

Updated July 8 with availability of a ransomware decryptor, plus new evidence about the ransomware's true intentions. This story was initially published July 1, 2020.

Several security researchers are warning of a new type of Mac ransomware that doesn't charge much, but may also be secretly pilfering files from unsuspecting users.

The EvilQuest ransomware, discovered by K7 Lab’s Dinesh Devadoss on Monday (July 29) and subsequently examined by cybersecurity firm Malwarebytes, among others, seems to be circulating on torrent forums where pirated software is often found. (It's not clear who came up with the EvilQuest name.)

“A post offered a torrent download for Little Snitch, and was soon followed by a number of comments that the download included malware,” explained Thomas Reed of Malwarebytes in a blog post yesterday (June 30). “In fact, we discovered that not only was it malware, but a new Mac ransomware variant spreading via piracy.”

Tricking victims

The version of EvilQuest that Reed saw was masquerading as a legitimate torrent installer for Little Snitch, an app that provides network-monitoring capabilities for MacOS. 

Reed said that while LittleSnitch was normally “attractively and professionally packaged,” this version was instead "a simple Apple installer package with a generic icon."

However, it did contain a working installation of LittleSnitch, packaged alongside a shell script that loads and executes the EvilQuest malware.

EvilQuest has also been found in installers for other apps. Devadoss found it masquerading as Google Software Update, while Mac security researcher Patrick Wardle found it in the DJ app Mixed in Key. Reed himself noticed one version mimicking music-making software Ableton Live.

Debugging capabilities 

As soon as the installer has been downloaded and executed, the malware begins infecting the victim’s device. Like many recent malware strains, EvilQuest is even able to find out if it’s running on a virtual device or if debugging tools are running. 

The malware can also detect whether an infected device is using anti-malware applications from companies like Kaspersky and security apps such as Little Snitch, as per a report by Bleeping Computer.

Reed warned: “Once the infection was triggered by the installer, the malware began spreading itself quite liberally around the hard drive.”

Next, the malware will find out the details of the command and control server via http://andrewka6.pythonanywhere[.]com/ret.txt so that it can download and then encrypt files from an infected device. 

Bitcoin ransom fee

To regain access to the encrypted files, victims are asked to pay a ransom of $50 in bitcoins -- a pittance compared to the large sums ransomware crooks often demand -- and have a timeframe of 72 hours. Unfortunately, there's no way to contact the crooks after the ransom has been paid so that your files will be freed.

Bleeping Computer's Lawrence Abrams thinks the ransomware part -- which "didn't work very well," according to Malwarebytes' Reed -- may just be a ruse. 

Abrams dipped into the code and discovered that EvilQuest plunders the Users folder on a Mac, looking for images, PDFs, backup files, databases, cryptocurrency wallets and Word, Excel and PowerPoint files. The malware then exports copies of those files, as long as they're under 800KB in size, to its command-and-control server.

To avoid infection by EvilQuest, or indeed any Mac malware, be sure to run one of the best Mac antivirus programs. It probably wouldn't hurt to also install Wardle's RansomWhere utility, which is free (although Wardle does accept donations). 

Reed recommended backing up your files to have spares on hand in case ransomware does attack.

“The best way of avoiding the consequences of ransomware is to maintain a good set of backups," he wrote in the Malwarebytes blog post. "Keep at least two backup copies of all important data, and at least one should not be kept attached to your Mac at all times. (Ransomware may try to encrypt or damage backups on connected drives.)"

“I personally have multiple hard drives for backups. I use Time Machine to maintain a couple, and Carbon Copy Cloner to maintain a couple more. One of the backups is always in the safe deposit box at the bank, and I swap them periodically, so that worst case scenario, I always have reasonably recent data stored in a safe location.”

Update: EvilQuest/ThiefQuest decryption tool

Security firm SentinelOne has created a decryption tool for Macs attacked by the EvilQuest ransomware, now renamed "ThiefQuest" by many researchers and organizations because there was already an online game called EvilQuest (which does look pretty fun).

Meanwhile, Malwarebytes' Thomas Reed now agrees with Bleeping Computer's assessment that EvilQuest/ThiefQuest is actually an information-stealer masquerading as ransomware to disguise its true intentions. 

Reed noticed that the malware appears to have characteristics of a "wiper" that erases parts or all of a hard disk to cover its tracks. He also cited fellow researcher Patrick Wardle by noting that EvilQuest/ThiefQuest also resembles a true virus in that it changes the code of legitimate applications in order to propagate itself.

A true virus is "something that has not been seen on Macs since the change from System 9 to Mac OS X 10.0," Reed wrote in a blog post July 7.