Researchers discover EvilQuest Ransomware for Apple PC/laptops that encrypts macOS systems, steals data and installs a keylogger
The post coronavirus pandemic world seems to belong to Ransomware operators. Ever since the coronavirus pandemic spread, we have been hearing about one new ransomware being discovered every month. The latest to join the bandwagon is an Apple macOS focussed ransomware called EvilQuest.
The EvilQuest Ransomware aka OSX.EvilQuest seems to have originated in Eastern Europe/Russia and targets macOS powered Macbooks and Apple Macs. The ransomware payload is delivered to infected torrents and once the malware payload is downloaded and executed, it encrypts the entire macOS file system, steals data, installs a keylogger and also executes a reverse shell handing over full control of the victims’ macOS run PC/laptop to EvilQuest ransomware operators. The primary macOS files that are encrypted are .pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat.
According to ZDNet, the ransomware encryption could be solved within weeks as many security researchers like Thomas Reed, Director of Mac & Mobile at Malwarebytes, and Phil Stokes, macOS security researcher at SentinelOne are researching it.
EvilQuest Ransomware package was first spotted by K7 Lab security researcher Dinesh Devadoss who tweeted about it.
— Dinesh_Devadoss (@dineshdina04) June 29, 2020
The EvilQuest Ransomware seems to have been in the distribution pipeline since the start of June 2020. Devadoos has spotted EvilQuest hidden in a software package called Google Software Update while Reed from Malwarebytes found it hidden in a macOS security tool called Little Snitch being distributed through torrents.
Like other ransomware, the EvilQuest leaves a simple txt file titled READ_ME_NOW.txt in each folder warning the user about the ransomware infection and demanding a ransom of $50 for decrypting the files. The readme demands that the victim pay the money within 3 days. The EvilQuest ransomware seems to target small Apple users unlike the big ransomware like REvil and Maze.
ZDNet says that EvilQuest is the third ransomware strain that has exclusively targeted macOS users after KeRanger and Patcher.