New Mac Ransomware Appears in Hacked Applications

In the last days new ransomware called EvilQuest has been discovered that is behind hacked applications. This malware encrypts files on the computer so that they are inaccessible unless an amount is paid, at least in theory.

Ransomware, the malware that demands ransoms

Ransomware is malicious program that « hijacks » files from a computer and demands a ransom (ransom) so that the user can recover them. Before the ransom notice, the ransomware encrypts all the content it can with a random key which is necessary to regain access to the files.

EvilQuest is the latest ransomware variant capable of affecting Mac computers that Malwarebytes has discovered on the Internet. A discovery born of a Russian forum where a hacked (free) version of the Little Snitch app was offered.

The hacked application comes in a generic installer that, in addition to installing Little Snitch, installs a small executable called Patch in the / Users / Shared path and a post-install script that activates the malware. The script moves the Patch file to a new location and renames it CrashReporter, a common name on Mac computers. From there, Patch automatically installs to various places on the computer.

This ransomware is capable of encrypting a large number of computer files including configuration files and keychain files, making iCloud Keychain inaccessible and Finder constantly giving errors. After the attack, the ransomware charges $ 50 to decrypt the files, although, according to Malwarebytes, does not respect the decryption although the amount is paid.

As if that were not enough, the malware also installs a keylogger, a small application that logs all keystrokes on a computer. An attack that is access to passwords, bank details and other information, although, at this time, the use of this data is unknown.

Is my Mac safe?

Faced with this type of attack, what can we do? All. The security of our computer depends on how we use it. This class of malicious applications cannot affect a computer without consent. In this case, consent involves downloading an application from an untrusted source and, most importantly, entering the computer password during installation, with which the ransomware meets little resistance.

The precautions to be taken in the situation are simple. The first and most important is that never install any apps except from trusted sites like the App Store or from websites of trusted companies (Adobe, Microsoft, etc.). The second precaution is to have a backup of the data, where it is particularly useful to use Time Machine.

How to improve the security of our Mac through the system firewall

App hijacking, i.e. being able to use apps that cost money for free, is a practice that is falling more and more into disuse, but it is still the main goal of malware entering the market. devices.