A new Mac ransomware has been discovered by folks at Malwarebytes. According to the report, it’s a variant of “EvilQuest” ransomware which is spreading through pirated Mac apps.
The team discovered the ransomware after Twitter user @beatsballert messaged them about a pirated Little Snitch app on a Russian forum, which distributes torrent links. Analyzing the installer, researchers at Malwarebytes discovered it’s not just malware but new ransomware.
Just by looking at installer, the team was skeptical since it had a generic installer package. Unexpectedly, the package did install the actual Little Snitch but side by side, it installed an executable file named “Patch” as well as a postinstall script. While it is common for installers to include postinstall scripts, here the script was bundled with malware.
After running the script, the patch quickly moved to a different location and renamed itself “CrashReporter” which is a known macOS process. From there, the patch injects itself into several other areas. The team noted that several apps started to malfunction; however, the ransomware primarily encrypts Keychain files and other data files. Later, it asks users to pay a $50 to unlock the files.
Of course, the $50 fee doesn’t remove the malware, but interestingly, there were no clear instructions on how to pay the ransom in the first place. According to the report, the malware sometimes installs a keylogger as well; however, its functionality is unknown. Malwarebytes detects the malware as “Ransom.OSX.EvilQuest” and infected files can be recovered with a previous backup.
We advise users to steer clear of pirated apps for Mac since they can carry similar ransomware or other malware.