New Mac Ransomware Found in Pirated Mac Apps

MacRumors

macrumors bot
Original poster
Apr 12, 2001
48,665
10,093


There's a new 'EvilQuest' Mac ransomware variant that's spreading through pirated Mac apps, according to a new report shared today by Malwarebytes. The new ransomware was found in pirated download for the Little Snitch app found on a Russian forum.


Right from the point of download, it was clear that something was wrong with the illicit version of Little Snitch, as it had a generic installer package. It installed the actual version of Little Snitch, but it also installed an executable file named "Patch" into the /Users/Shared directory and a post-install script for infecting a machine.

The installation script moves the Patch file into a new location and renames it CrashReporter, a legitimate macOS process, keeping it hidden in Activity Monitor. From there, the Patch file installs itself in several spots on the Mac.

The ransomware encrypts settings and data files on the Mac, like Keychain files, resulting in an error when attempting to access the iCloud Keychain. The Finder also malfunctioned after installation, and there were problems with the dock and other apps.

Malwarebytes found the ransomware to work poorly and was not able to get instructions on paying the ransom, but a screenshot found on the forums where the malicious software originated suggests it's meant to prompt users to pay $50 to recover access to their files. Note: anyone infected with this ransomware or any ransomware should not pay the fee, because it does not remove the malware.

Along with the ransom activity, the malware may also install a keylogger for monitoring keystrokes, but what the malware does with the functionality is unknown. Malwarebytes says that its software for Mac is able to remove the ransomware, detected as Ransom.OSX.EvilQuest. Encrypted files will require a restore from a backup, though.

Similar ransomware was found in other pirated apps, and Mac users can avoid it by staying away from pirated apps and untrustworthy websites and forums that offer illicit downloads.

Article Link: New Mac Ransomware Found in Pirated Mac Apps
 
  • Love
Reactions: Hastings101

Apple Macintosh 128K

macrumors newbie
Jun 16, 2020
29
69
Stick to legit apps from legit services and you'll be fine. Also keep an eye to make sure the apps are properly signed.

To have this happen you have to bypass macOS security and allow the non-signed installer run. It's like giving the keys to your house to some questionable person on the street and then being surprised when they take your stuff.
 

saudor

macrumors 6502a
Jul 18, 2011
775
539
Reminds me of the wannacry garbage from before. except that one asked for a much larger amount of money
 

posguy99

macrumors 65816
Nov 3, 2004
1,164
672
in any case, if this happens to you, a 2 step procedure will save the day:
- boot into internet recovery (can't be sure if the on-disk recovery data is compromised)
- reinstall from timecapsule
You don't expect someone on the level to be caught by this to actually be making backups, do you?
- - Post merged: - -

So people that can afford a mac yet can't afford an app?
Have you never before met one of the Entitled? "Afford" doesn't have anything to do with it.
 

swm

macrumors 6502
May 29, 2013
271
365
You don't expect someone on the level to be caught by this to actually be making backups, do you?
well, bad things can happen to anyone. we're lucky to have good tools at hand to recover from a mess like this. ransomware can be delivered to your computer not just by pirated apps. there are quite some open source software out there - and sometimes their download sites get compromised. so you'll get legitimate stuff infected with malicious code and the effect is just the same.
 

itsmilo

macrumors 68040
Sep 15, 2016
3,172
6,771
Europe
So people that can afford a mac yet can't afford an app?
my uncle is a Director with a new BMW what feels like every other year and he is too cheap paying 99 cent for iCloud storage and then loves to complain about his iPhone always being full. He also rips songs from YouTube instead of just getting Spotify. Drives me nuts. People are especially entitled when it comes to digital goods that you can’t touch
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.