Chapter in this post:
New Mac ransomware, i.e. software for blackmailing users, is currently spreading via pirated apps that are offered on Russian platforms, among others. This is reported, for example, by Malwarebytes ( here) and Patrick Wardle on the Objective-See website ( here). The new ransomware was initially called "EvilQuest", but to avoid confusion, the company then switched to "OSX.ThiefQuest". What is special about the new ransomware, which can infect Apple computers: its script is hidden in certified installer files, which simulate authenticity for both users and the Mac. Examples of cracked apps that OSX.ThiefQuest bring with them are "Little Snitch"And" Mixed in Key ".
I don't get tired of saying here on the blog that your apps are only from the Mac App Store or directly from the developers should download. It is not recommended to use software portals that offer you the apps via unnecessary installers with additional software, malware and the like. It is especially not recommended to download pirated programs from dubious websites. Not only is this illegal and harms developers, it also brings with it dangers that the untrained eye cannot recognize.
For example, Malwarebytes reports in the blog post linked above that the installer downloaded for analysis for the pirated version of Little Snitch already looked conspicuous when it was unzipped. Not only did it appear pointless in a disk image, it was also provided with a generic package icon, where the official version of Little Snitch can come up with a nicely designed icon:
Analysis of this installer showed that there was definitely something strange going on. To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed. However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file.
Patrick Wardle also vividly analyzes the alleged installers and the ransomware that have entered the system on the Objective-See website. These even provide protection against the analysis, which the professional naturally recognized and was able to circumvent. It also shows how and to what extent the data on the Mac hard drive should be encrypted in order to extort money from users for the surrender or decryption. The output of the malware is then this:
Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service.
We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement).
Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included.
In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever.
Payment has to be deposited in Bitcoin based on Bitcoin / USD exchange rate at the moment of payment. The address you have to make payment is:
Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored.
THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE
The first source is Malwarebytes, a provider of protection software that works similar to an antivirus app. Except that in addition to viruses, it also finds other scripts and malware (trojans, Adware, Etc.). On the Objective-See website you will find two free programs, "BlockBlock" and "RansomWhere?", which are advertised in the summary of the linked article as having even recognized OSX.ThiefQuest, although they are still dealing with this type of ransomware were not familiar.
But do you need this software as a “normal” user? Not if you are browsing the web in a legal way. Anyone who has to load weird things here for research purposes, to fill the tech blog, the specialist magazine or security research in the company, can and should of course take security precautions. What do you think about the topic and how is your approach? Do you stick to official sources when it comes to downloads or do you wander off the beaten track and therefore need protective software? Feel free to leave a comment;)
Jens has been running the blog since 2012. He appears as Sir Apfelot for his readers and helps them with problems of a technical nature. In his free time he drives electric unicycles, takes photos (preferably with his iPhone, of course), climbs around in the Hessian mountains or hikes with the family. His articles deal with Apple products, news from the world of drones or solutions for current bugs.