Ransomware: ransomware spreads via pirated software on Macs

New Mac ransomware, i.e. software for blackmailing users, is currently spreading via pirated apps that are offered on Russian platforms, among others. This is reported, for example, by Malwarebytes (here) and Patrick Wardle on the Objective-See website (here). The new ransomware was initially named "EvilQuest", but then changed to "OSX.ThiefQuest" to avoid confusion. The special thing about the new Ransomware, which can infect Apple computers: their script is hidden in certified installer files that spoof authenticity for both the user and the Mac. As examples of cracked apps that bring OSX.ThiefQuest, “Little Snitch"And" Mixed in Key ".

The ransomware OSX.ThiefQuest comes to the Apple Mac when you download pirated apps from certain portals. You can read what is behind the ransomware here.
The ransomware OSX.ThiefQuest comes to the Apple Mac when you download pirated apps from certain portals. You can read what is behind the ransomware here.

OSX.ThiefQuest - Incorrect installer with ransomware script

I don't get tired of saying here on the blog that your apps are only from the Mac App Store or directly from the developers should download. It is not recommended to use software portals that offer you the apps via unnecessary installers with additional software, malware and the like. It is especially not recommended to download pirated programs from dubious websites. Not only is this illegal and harms developers, it also brings with it dangers that the untrained eye cannot recognize.

For example, Malwarebytes reports in the blog post linked above that the installer downloaded for analysis for the pirated version of Little Snitch already looked conspicuous when it was unzipped. Not only did it appear pointless in a disk image, it was also provided with a generic package icon, where the official version of Little Snitch can come up with a nicely designed icon:

Analysis of this installer showed that there was definitely something strange going on. To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed. However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file.

My advice: Backups protect against ransomware consequences

This is what the pirated malware does on the Mac

Patrick Wardle also vividly analyzes the alleged installers and the ransomware that have entered the system on the Objective-See website. These even provide protection against the analysis, which the professional naturally recognized and was able to circumvent. It also shows how and to what extent the data on the Mac hard drive should be encrypted in order to extort money from users for the surrender or decryption. The output of the malware is then this:

Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service.
We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement).
Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included.
In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever.
Payment has to be deposited in Bitcoin based on Bitcoin / USD exchange rate at the moment of payment. The address you have to make payment is:
Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored.

Do you need to protect yourself against Mac ransomware?

The first source is Malwarebytes, a provider of protection software that works similar to an antivirus app. Except that in addition to viruses, it also finds other scripts and malware (trojans, Adware, Etc.). On the Objective-See website you will find two free programs, "BlockBlock" and "RansomWhere?", which are advertised in the summary of the linked article as having even recognized OSX.ThiefQuest, although they are still dealing with this type of ransomware were not familiar. 

But do you need this software as a “normal” user? Not if you are browsing the web in a legal way. Anyone who has to load weird things here for research purposes, to fill the tech blog, the specialist magazine or security research in the company, can and should of course take security precautions. What do you think about the topic and how is your approach? Do you stick to official sources when it comes to downloads or do you wander off the beaten track and therefore need protective software? Feel free to leave a comment;)

My tips & tricks about technology & Apple

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership would support.

2 thoughts on “Ransomware: Ransomware spreads via pirated software on Macs”

  1. Hello
    Mac software only from the app store? How does that work? There is a variety of legal software that is sold directly. Am I wrong or isn't it that bad anyway when you have a backup? For example, I use CCC to mirror my entire hard drive on an external one every day, and I also use Time Machine. If someone were to blackmail me, I would immediately erase the internal hard drive completely and use the copies. Is there still a risk?

    1. Hello! Yes, only from the App Store is difficult. That's why the article also says "or directly from the developer". In principle, the backups are already very good, but as soon as the backups are attached to the Mac and the malware is active, it can also change the backups. Therefore, for example, I would always stake out the 1:1 backup with CCC when it is finished. So no software can manipulate it... LG!

Post a comment

Your e-mail address will not be published. Required fields are marked with * marked

In the Sir Apfelot Blog you will find advice, instructions and reviews on Apple products such as the iPhone, iPad, Apple Watch, AirPods, iMac, Mac Pro, Mac Mini and Mac Studio.