During the past several years, cybersecurity researchers have witnessed what can only be described as an explosion of ransomware targeting Windows users. Some of the most devastating ransomware attacks, such as WannaCry and NotPetya, infected hundreds of thousands of computers and brought down massive corporate networks.
But just because Mac users have not been affected by these and other high-profile attacks doesn’t mean that Mac ransomware isn’t a major reason for concern. Recently, a malware researcher at the firm K7 Lab has identified a new strain of Mac ransomware, and it turns out that this new strain is far more sinister than it appears at first.
ThiefQuest, as cybersecurity researchers now call the new Mac ransomware (the original name, EvilQuest, is used by a legitimate video game) originated on an infamous Russian file-sharing board, disguised in a pirated copy of a popular third-party firewall app called Little Snitch.
Just like most ransomware strains do, ThiefQuest is programmed to encrypt the victim’s hard drive and display instructions for paying the ransom to purchase a decryption service. In this case, the cost of decryption is $50, and the ransom must be paid within three days otherwise all decrypted files will be lost—at least that’s what the ransom note claims.
In reality, ThiefQuest is doing much more than encrypting files on the victim’s hard drive. It also attempts to find sensitive files stored on the infected computer, such as passwords and cryptocurrency wallets, and send them to a central server. As if that wasn’t enough, it also installs a keylogger to record any text the victim types with their keyboard, including credit card numbers.
“My current gut feeling about all of this is that someone basically was designing a piece of Mac malware that would give them the ability to completely remotely control an infected system. And then they also added some ransomware capability as a way to make extra money,” speculates Patrick Wardle, principal security researcher at the Mac management firm Jamf.
Regardless of what the story behind ThiefQuest really is, it demonstrates that malware creators have not forgotten about Mac users—quite the opposite, in fact.
How to Protect a Mac from ThiefQuest?
The good news is that ThiefQuest doesn’t pose a significant threat to most Mac users, at least in its current iteration. To start with, it’s distributed exclusively with pirated software and requires users to ignore multiple security warnings during its installation. What’s more, ThiefQuest doesn’t always immediately begin the encryption process, giving the victim some time to detect it and take appropriate action.
Any Mac user who suspects that ThiefQuest might be present on their computer should get rid of it as soon as possible using an anti-malware solution. Cybersecurity researchers highly discourage anyone who becomes a victim of this new Mac ransomware from paying the relatively small ransom because the ransomware doesn’t seem to be able to actually decrypt locked files.
Instead, affected users should attempt to recover their data from backups and perform a clean installation of macOS.
What Will Come Next?
That’s the main question all Mac users should be asking right now. ThiefQuest was discovered four years since macOS were hit by a fully-realized ransomware attack for the first time, and it’s only a matter of time before cybercriminals once again improve their techniques and find another way to circumvent Apple’s cybersecurity defenses.
For businesses whose employees use Mac computers on a daily basis, the risk of a ransomware attack is a worrying proposition, and encouraging responsible user behavior alone isn’t always the answer.
To stay one step ahead of cybercriminals, businesses should keep their systems safe from online threats by taking advantage of expert cybersecurity solutions that include the best ransomware protection software, intrusion detection tools, and firewalls. Such solutions help businesses navigate the increasingly complex threat landscape while allowing them to maintain sharp focus on their core business. At BCA, we protect our customers against the latest ransomware threats with TOTALSecurity, a comprehensive suite of security solutions designed to keep business networks safe from external attacks of any kind.