A new variant of ransomware, dubbed EvilQuest has be discovered that targets Apple macOS via installed pirated apps. According to researchers at K7 Lab malware and Malwarebytes, the new ransomware variant is packaged with legitimate apps, which upon installation, disguises as Google Software Update or Apple's CrashReporter.
EvilQuest comes with the capabilities of persistence, keystrokes logging, reverse shell, and stealing from cryptocurrency wallet-related files. It joins a few strains of ransomware that have exclusively targeted macOS, with others on the list including KeRanger and Patcher.
The ransomware appears to be trojanized versions of another popular macOS software like Mixed In Key 8 and Ableton Live, which are all distributed via popular torrent sites.
How EvilQuest infiltrates Apple macOS
EvilQuest uses a sandbox check to detect sleep-patching and equipped with anti-debugging logic, the malware program does not run under a debugger, which helps to disguise the malware source, as the malicious behavior can't be immediately associated with any recently installed program.
The ransomware is also able to kill any security software, including Avast, DrWeb, McAfee, Kaspersky, Norton, Bitdefender, and Bullguard, that would normally detect or block malicious activities on the system, and set up system persistence using daemon property list files ("com.apple.questd.plist") and launch agent to automatically restart itself each time the user logs into Mac.
At the last stage, it launches a copy of itself to start encrypting files and counting cryptocurrency wallet ("wallet.pdf") with other keychain related files before it eventually displays the ransom instructions to user to pay $50 within 72 hours or lose the locked files.
How to Mitigate against EvilQuest Ransomware
As always, the best way to avoid the consequences of ransomware is to have a good backup of important files, and keeping at least another copies of all important files, which must not be saved or attached to your Mac.
While cybersecurity researchers are working to find a weakpoint in the encryption algorithm of the malware to create a decryptor, it's highly recommended that macOS users should create necessary backups to avoid any data loss.