Security experts have warned of new Mac ransomware being spread via pirated software from torrent sites. The virus is so new that there is currently no known way to recover lost files.
Once installed, the malware begins to spread itself “liberally” around the hard drive, though much of the nefarious software’s behavior is still not really understood.
For example, it was found that the malware – dubbed ‘ThiefQuest’ – modified executable GoogleSoftwareUpdate files, commonly found on machines with Google Chrome installed.
However, according to anti-malware company Malwarebytes, Google automatically resets these files upon launch, meaning that “it’s unclear what the purpose here is” for the malware to make such changes as it would seem like a pointless addition.
As with all ransomware, ThiefQuest eventually begins encrypting as many files as it can, locking users out of their digital property until a ransom is paid for their return. These files are often confidential in nature as they are more valuable to the user.
The author of the article detailing the malware, Thomas Reed, goes on to say that while many affected users have reported that they were asked to pay a ransom to retrieve the encrypted files, he “was unable to duplicate any of these [demands], despite waiting quite a while for the ransomware to finish.”
However, as this ransomware is so new, it is not yet clear whether once these files are encrypted, they can ever be decrypted.
The anti-malware company advises that to protect against ransomware attacks, the public should always have a host of backup copies of their data stored on a separate hard drive. Doing so strips any power bad actors attempt to exercise when they use ransomware for blackmail, as you always have a copy of your data safely stored elsewhere.
The malware was first discovered after being uploaded to a Russian torrent site tucked within a legitimate-looking copy of the macOS firewall, Little Snitch.
Originally dubbed EvilQuest, the malicious software has been renamed “due to a legitimate game of the same name from 2012.” Its new name is OSX.ThiefQuest.
The malware has since been found in other applications, such as Mixed In Key 8, a type of DJing software. Reed also notes that “there are undoubtedly other installers floating around as well that have not been seen.”
Like this story? Share it with a friend!