Mac users can now use the new “EvilQuest” ransomware, which can encrypt files and cause multiple problems with the operating system. Malwarebytes has analyzed today’s ransomware, which is distributed through the macOS pirate application.
The malicious code was originally found in a pirated copy of the Little Snitch application, which can be found on the Russian forum with a seed link. The downloaded application comes with the PKG installer file, which is different from the original version.
By examining this PKG file, Malwarebytes found that the application comes with a “post-installation script”, which is usually used to clean up the installation after the process is complete. However, in this case, the script will implement the malware to macOS.
The script file will be copied to the folder related to the Little Snitch application under the name of CrashReporter. Therefore, since macOS has an internal application with a similar name, users will not notice that it is running in the activity monitor. The set location is: /Library/LittleSnitchd/CrashReporter.
Malwarebytes pointed out that it will take some time after the ransomware is installed to start running, so users will not associate it with the newly installed applications. Once the malicious code is activated, it will modify the system and user files with unknown encryption.
Part of the encryption will cause Finder not to work properly, and the system will continue to crash. Even the keychain of the system is damaged, so the passwords and certificates saved on the Mac cannot be accessed. A message appears on the screen, prompting the user to pay $50 to restore their files, otherwise all content will be deleted after three days.
After encrypting files, the malware cannot be eliminated, so users should keep updated backups of all content.
The best way to avoid the consequences of ransomware is to maintain a good set of backups. Keep at least two backup copies of all important data, and you should not always keep at least one backup copy on your Mac. (The ransomware may try to encrypt or damage the backup on the connected drive.)
Although ransomware is currently only included in pirated applications, Apple must fix this security hole as soon as possible because the malicious code can be included in more applications.
You can read more technical details about EvilQuest on the Malwarebytes website.
FTC: We use profitable car affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news: