Mac users are now exposed to a new “EvilQuest” ransomware which encrypts files and causes more problems to the operating system. Malwarebytes analyzed ransomware today, which is distributed via the pirated macOS apps.
The malicious code was first found in a pirated copy of the Little Snitch app available on a Russian forum with torrent links. The downloaded app comes with a PKG installation file, unlike the original version.
By examining this PKG file, Malwarebytes found that the app comes with a “post-installation script”, which is generally used to clean up the installation at the end of the process. In this case, however, the script implements malware on macOS.
The script file is copied to a folder related to the Little Snitch app with the name CrashReporter, so the user will not notice it running in Activity Monitor since macOS has an internal app with a similar name. The set location is: / Library / LittleSnitchd / CrashReporter.
Malwarebytes notes that it takes some time for the ransomware to start running after installation, so the user won̵
Part of the encryption causes the Finder to not function properly and the system to hang constantly. The system keychain is also damaged, so it is impossible to access passwords and certificates saved on the Mac. A message on the screen says that the user must pay $ 50 to recover his files, otherwise everything will be deleted after three days.
There is still no way to get rid of the malware after it encrypts the files, so users should keep an updated backup of everything.
The best way to avoid the consequences of ransomware is to maintain a good backup set. Keep at least two backup copies of all important data and at least one should not always be connected to your Mac. (Ransomware may attempt to encrypt or damage backups on connected drives.)
Although ransomware is only included with pirated apps for now, Apple needs to correct this security flaw as quickly as possible since this malicious code can be included in multiple apps.
You can read more technical details about EvilQuest on the Malwarebytes website.
FTC: we use automatic affiliate links to earn revenue. More.