But you have to make sure that you disconnect the backup medium from your computer afterwards, as otherwise the backup will be encrypted by the ransomware too!įor Mac users who take their chances by running software from potentially risky sources, the importance of running effective, independently tested and certified antivirus software for macOS becomes apparent. Paying ransomware authors to decrypt your files is always a lottery at the best of times, but in most cases, it seems more or less certain that the encrypted data is lost forever, even if you do pay up.ĭo a backup, don’t pay the ransom! The best option is to run a backup frequently. Even then, it will only infect the Mac if the security warnings from macOS are blindly clicked through.
It appears that infections have only occurred when users have downloaded compromised installers for cracked versions of legitimate applications, such as Little Snitch and Mixed in Key8, via torrenting services. As a standalone installer, it will now be blocked by the built-in security mechanisms in macOS, assuming these have access to Apple’s cloud services. The good news about EvilQuest is that it’s pretty difficult to get infected.
It appears that it may not run on virtual machines – frequently used for malware analysis – or if specific Mac antivirus programs are installed on the system. EvilQuest’s authors seem to have made an effort to prevent malware researchers analysing the program. Finally, it will attempt to exfiltrate specific files relating to cryptocurrency wallets, in an attempt to steal more money. It installs a keylogger, to record the victim’s every keystroke, and connects the targeted system to a command and control centre, enabling the attackers to run further commands. Worse still, EvilQuest / ThiefQuest has some other nasty tricks in its box. Although the ransom note provides a BitCoin address for payment, there is no apparent means for victims to contact the attackers or prove that they have paid. However, it transpires that it’s especially nasty. Known as EvilQuest / ThiefQuest, it appears at first glance to be a fairly standard ransomware program that encrypts user files and demands payment in return for a decryption key. On 29 th June, K7 security researcher Dinesh Devadoss tweeted about the discovery of a new macOS ransomware program.
EvilQuest / ThiefQuest ransomware is now blocked by all the Mac AV products certified by AV-Comparatives in 2020: Avast, AVG, Avira, Bitdefender, CrowdStrike, FireEye, Kaspersky, and Trend Micro. Ransomware for macOS shows the importance of using independently tested Mac antivirus software.
0 kommentar(er)
