Ransomware: ransomware spreads via pirated software on Macs

New Mac ransomware, i.e. software for blackmailing users, is currently spreading via pirated apps that are offered on Russian platforms, among others. This is reported, for example, by Malwarebytes (.) and Patrick Wardle on the Objective-See website (.). The new ransomware was initially called "EvilQuest", but to avoid confusion, the company then switched to "OSX.ThiefQuest". What is special about the new ransomware, which can infect Apple computers: its script is hidden in certified installer files, which simulate authenticity for both users and the Mac. Examples of cracked apps that OSX.ThiefQuest bring with them are "Little Snitch"And" Mixed in Key ".

The ransomware OSX.ThiefQuest comes to the Apple Mac when you download pirated apps from certain portals. You can read what is behind the ransomware here.

The ransomware OSX.ThiefQuest comes to the Apple Mac when you download pirated apps from certain portals. You can read what is behind the ransomware here.

OSX.ThiefQuest - Incorrect installer with ransomware script

I don't get tired of saying here on the blog that your apps are only from the Mac App Store or directly from the developers should download. It is not recommended to use software portals that offer you the apps via unnecessary installers with additional software, malware and the like. It is especially not recommended to download pirated programs from dubious websites. Not only is this illegal and harms developers, it also brings with it dangers that the untrained eye cannot recognize.

For example, Malwarebytes reports in the blog post linked above that the installer downloaded for analysis for the pirated version of Little Snitch already looked conspicuous when it was unzipped. Not only did it appear pointless in a disk image, it was also provided with a generic package icon, where the official version of Little Snitch can come up with a nicely designed icon:

Analysis of this installer showed that there was definitely something strange going on. To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed. However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file.

My advice: Backups protect against ransomware consequences

This is what the pirated malware does on the Mac

Patrick Wardle also vividly analyzes the alleged installers and the ransomware that have entered the system on the Objective-See website. These even provide protection against the analysis, which the professional naturally recognized and was able to circumvent. It also shows how and to what extent the data on the Mac hard drive should be encrypted in order to extort money from users for the surrender or decryption. The output of the malware is then this:

Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service.
We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement).
Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included.
In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever.
Payment has to be deposited in Bitcoin based on Bitcoin / USD exchange rate at the moment of payment. The address you have to make payment is:
[...]
Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored.
THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE

Do you need to protect yourself against Mac ransomware?

The first source is Malwarebytes, a provider of protection software that works in a similar way to an antivirus app. Except that besides viruses, it also finds other scripts and malware (Trojans, adware, etc.). On the Objective-See website you will find two free programs, “BlockBlock” and “RansomWhere?”, Which are advertised in the summary of the linked article with the fact that they have even recognized OSX.ThiefQuest, although they are still using this type of ransomware were not familiar. 

But do you need this software as a “normal” user? Not if you are browsing the web in a legal way. Anyone who has to load weird things here for research purposes, to fill the tech blog, the specialist magazine or security research in the company, can and should of course take security precautions. What do you think about the topic and how is your approach? Do you stick to official sources when it comes to downloads or do you wander off the beaten track and therefore need protective software? Feel free to leave a comment;)

-
Do you like my blog? Then I would be happy to receive a short review on Google. Easy leave something here for a moment - that would be great, thank you!

 

Effectively for free: iPhone 13 Mini and iPhone 13 deals with top conditions at Otelo - Advertisement

2 comments

  1. W. Wiegmann says:

    Hello
    Mac software only from the app store? How does that work? There is a variety of legal software that is sold directly. Am I wrong or isn't it that bad anyway when you have a backup? For example, I use CCC to mirror my entire hard drive on an external one every day, and I also use Time Machine. If someone were to blackmail me, I would immediately erase the internal hard drive completely and use the copies. Is there still a risk?

    • Sir Apfelot says:

      Hello! Yes, just from the app store is difficult. That is why the article also says "or directly from the developer". The backups are basically pretty good, but as soon as the backups are attached to the Mac and the malware is active, it can also change the backups. Therefore, for example, I would always stake out the 1: 1 backup with CCC when it is finished. So no software can manipulate it ... LG!

Leave a Comment

Your e-mail address will not be published. Required fields are marked with * .