A new macOS ransomware called EvilQuest is reportedly doing the rounds, spread largely through macOS pirate apps. A Mac infected with EvilQuest will suffer multiple problems, including the repeated crashing of the Finder. Most significantly, the ransomware will also hold your Mac hostage: encrypting files unless the user pays $50 to unlock them.
“Maybe you are busy looking for a way to recover your files,” reads an on-screen notification. “Do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid for 3 days (starting now!)”
Details of the EvilQuest ransomware were published by Malwarebytes Labs. The blog post notes that the ransomware installer was first spotted on a Russian forum for sharing torrent links. It was disguised as the Little Snitch app, but one that comes with a PKG installer, unlike the legitimate version.
Once installed, the malware spreads itself around the user’s hard drive. After several days, it then activates and begins encrypting files. As Malwarebytes notes:
“The malware wasn’t particularly smart about what files it encrypted … It appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in post-encryption.”
The blog post notes that it’s not yet clear how severe the encryption situation is. As the EvilQuest message makes clear, users can pay a ransom to decrypt their files. “It’s possible that further research could lead to a method for decrypting files, and it’s also possible that won’t happen,” the blog post notes.
The best solution is good backups
As ever, the best course of action to protect yourself is a proactive one. Keep multiple backups of important data, including one that is not physically attached to your Mac constantly. (In case malware also spreads to this.) When you have proper backups, ransomware is less of a threat. While it might be annoying to have to wipe your hard drive and restore a backup, it’s certainly preferable to the alternative. This will also protect you against non-ransomware issues such as drive failure or theft.
Oh, yes, and maybe steer clear of pirate apps from suspect locations, too!