This week security researchers discovered a MacOS hack that is encrypting user files and holding them for ransom. This is what it is and how you can avoid it.
Ransomware attacks on Macs are rare, particularly compared to its PC counterparts. But they can happen. And this week malware researcher Dinesh Devadoss found that one titled OSX.EvilQuest is currently doing the rounds.
This is the third time that MacOS ransomware has been discovered over the past four years.
According to Apple Insider, EvilQuest can encrypt a users files and install a keylogger to record keystrokes and a reverse shell to customer commands can be executed on the machine. It can also install a code that that targets cryptocurrency wallets.
Devadoss has found that EvilQuest impersonates a Google software update. Director of Mac & Mobile at Malwarebytes, Thomas Reed, told ZDNet that once the malware is executed the encryption begins immediately.
After encryption, the ransomware adds a marker BEBABEDD to the EOF. pic.twitter.com/R610lXkfZ1
— Dinesh_Devadoss (@dineshdina04) June 29, 2020
Once the execution is finished, the user is delivered a pop up that reveals that their files have been encrypted. It also directs the user to a ransom note on their desktop, which takes the form of a plain text file.
The notes demands that $US50 be delivered to the hackers in bitcoin within 72 hours of the encryption taking place.
Principal Security Researcher at Jamf, Patrick Wardle, has done a deep dive into the EvilQuest hack here.
According to ZDNet, EvilQuest will encrypt any files with the following extensions: .pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat.
In regards to cryptocurrency wallets, it will target file types such as wallet.pdf, wallet.png, key.png and *.p12.
MacOS Ransomeware – How To Avoid
According to malware experts, it seems that the EvilQuest MacOS hack is circulating thanks to pirated software. As per Apple Insider, it has been found in pirated versions of Mixed In Key (a DJ app) as well as Little Snitch, a security program.
However, this doesn’t mean it hasn’t be hidden in other yet-to-be-found pirated software.
So the best course of action is to avoid downloading pirated versions of stuff. Instead, consider going legit and actually paying developers for the products.