“EvilQuest”: macOS Users Facing A New Ransomware

“EvilQuest”: macOS Users Facing A New Ransomware

Mac Optimization Mac software Tech News

Researchers have found traces of ransomware named EvilQuest, which is exclusively targeting macOS based machines manufactured by Apple. The encryption malware is found to be a unique strain different from previous malware attacks on macOS or any other operating system. Here’s everything you need to know about it:

What is EvilQuest?

what is evilquest

EvilQuest or OSX.EvilQuest is a ransomware strain that is being attached to pirate macOS applications. The ransomware threatens users’ command over his/her PC as well as access to files and folders. EvilQuest gets installed in the Mac along with the pirate app it came with and then encrypts victims’ files and folders, preventing access and usage. 

The new ransomware strain has one notch more which makes it even more dangerous. The researchers have found that EvilQuest installs a keylogger on the system, which allows the attacker to track and record the keyboard commands struck by the user. Moreover, the strain will also install a reverse shell. A reverse shell will establish a remote connection of the victims’ PC with the attacker’s remote machine, thus giving him total control over your PC.

Hence, even if you’ve paid the ransom, the victim can continue to access your files and keep track of keyboard keys struck, thus having full authority over the infected computer.

Read More: Decrypt Ransomware Affected Files Using These Tools

How was EvilQuest Discovered?

EvilQuest has been discovered in multiple software packages and installers, making it a bit difficult to find the first attack. But it is believed that the ransomware strain is being distributed for more than a month before its discovery.

How was EvilQuest Discovered
Image Source: ZDNet

One of the first sources of attacks is linked to the pirate version of an app called Little Snitch. It’s a firewall application designed for macOS users offering them network protection. The app itself is highly regarded, but when you opt for a pirate version, there are risks you cannot call for. 

The strain is attached as a PKG installer file with Little Snitch pirated software package. The PKG file has a “post-install script” attached to it, which contains the alleged malware. Upon installation, the script is then copied to a location on your Mac – /Library/LittleSnitch/CrashReporter. And then sometime later, the malware code activates and starts system files encryption. 

Read More: How Ransomware Affects Your System?

EvilQuest is Thriving On Torrenting

The EvilQuest ransomware strain is thriving totally on torrenting. Users often download software packages and applications through third-party app stores and online portals and torrent links to get a free premium version without actually buying the software. EvilQuest is mostly found attached to such links for software packages like that of Little Snitch.

Torrenting is always risky, but users tend to dodge those risks by using a VPN service. However, when there is a ransomware threat associated, no VPN can help in that scenario. It is recommended not to use pirate versions of such software packages on Mac or any other operating system. 

How EvilQuest Works?

Here’s a summary of how EvilQuest takes control of your Mac if you are attacked:

– Upon installation and activation of the malware code, the files and folders of the victims’ Mac are encrypted, followed by a warning regarding the encryption.

– The user is then directed to a ransom note on the desktop just like the one in the image below:

how evilquest works

– A keylogger is installed, which gives the attacker tracking access to record all keystrokes.

– A reverse shell then grants the attacker a connection with the infected Mac as well as the authority to run custom commands.

– The ransomware strain looks explicitly for files that are associated with any cryptocurrency wallet applications such as – wallet.png, wallet.pdg, etc. thus, hampering security of your crypto wallets.

What Files are Prone to Threat Associated with EvilQuest?

Here is a list of file extensions that are encrypted by Evil Quest: 
































Use Smart Mac Care for Complete Mac Protection

smart mac care

To ensure that your Mac is free of any malware or privacy threat, you can use an efficient Mac optimization tool called Smart Mac Care. Smart Mac Care is a Mac cleaner app cum Mac optimizer utility designed to ensure your Mac machines’ optimal working state. The app consists of built-in modules to run automatic scans and detect malware traces as well as traces jeopardizing user privacy on your Mac. 

Besides, the cleaner modules of Smart Mac Care helps you remove cache and temporary logs along with unwanted files and applications to sustain enough efficiency for Mac drive.

Smart Mac Care helps in:

– Remove malware via an automatic scan allowing users to delete such traces.

– Delete traces of privacy threatening traces found in your browser activity.

– Delete Cache and other Temp Logs.

– Optimize Mac response time and overall system speed. 

– Manage Login Items.

– Uninstall unused apps.

– Delete duplicates and files in Other sections of Mac.

– Manage Mac storage capacity. 

Here’s all you need to know about Smart Mac Care and its installation. 

Note: Once the encryption begins post-installation, it becomes impossible to delete the malware. Hence, make sure to run a scan and detect possible traces of such malware before proceeding with a new installation. 

What Do You Think?

Leave a Reply