The recently discovered malware program
EvilQuest, or ThiefQuest as it’s also called, encrypts your files and tries to trick you into sending a Bitcoin ransom to the fraudsters who spread it.
The only problem is that there is no feature to actually unlock the files after paying the villains. The few affected users to pay up have not recovered their files, and the security researchers who have investigated the program have not found any built-in decryption method.
But researchers at SentinelOne have examined the encrypted files and discovered that the files themselves contain their encryption keys, making it straightforward to decrypt them. The company has already released a small
freeware program that restores all files encrypted by EvilQuest.
Malwarebytes has researched the program more deeply and reports that the whole extortion function can in fact be a distraction to divert attention from the real goal: stealing data.
The malware sometimes downloads a
Python script that goes through the entire home folder and uploads a long line of files to the control server, completely unencrypted.
continued investigations into the malware show that it also appears to be the first genuine virus for Mac since Mac OS X was released nearly 20 years ago.
Once the program has installed itself on the Mac, it runs a process that looks up all executable files in the affected home folder and adds a new bit of malicious code to the beginning of the file which will then run every time that file is run. The code can then spread the malware to new files and continue the infection.
The definition of a
virus is malicious code that spreads by infecting existing files, which is exactly what EvilQuest/ThiefQuest does.
The program has many broken elements and features that do not seem to work exactly as it was intended, so Malwarebytes speculates that a version of it began to be used before it was fully developed.
Those who have suffered, according to Patrick Wardle, would be best advised to completely
reinstall macOS – for example, by recovering from a clone backup done before the computer was infected. Before anyone has developed a program that can find and remove the malicious code from all infected files, it is not enough to just delete the malicious program itself.
For broader advice, read our
Mac security tips.
This article originally appeared on
Macworld Sweden. Translation by David Price.