New Mac Ransomware Found in Pirated Mac Apps

MacRumors ^ | Tuesday June 30, 2020 11:44 am PDT | by Juli Clover

[Swordmaker]

There's a new 'EvilQuest' Mac ransomware variant that's spreading through pirated Mac apps, according to a new report shared today by Malwarebytes. The new ransomware was found in pirated download for the Little Snitch app found on a Russian forum.

Right from the point of download, it was clear that something was wrong with the illicit version of Little Snitch, as it had a generic installer package. It installed the actual version of Little Snitch, but it also installed an executable file named "Patch" into the /Users/Shared directory and a post-install script for infecting a machine.

The installation script moves the Patch file into a new location and renames it CrashReporter, a legitimate macOS process, keeping it hidden in Activity Monitor. From there, the Patch file installs itself in several spots on the Mac.

The ransomware encrypts settings and data files on the Mac, like Keychain files, resulting in an error when attempting to access the iCloud Keychain. The Finder also malfunctioned after installation, and there were problems with the dock and other apps.

Malwarebytes found the ransomware to work poorly and was not able to get instructions on paying the ransom, but a screenshot found on the forums where the malicious software originated suggests it's meant to prompt users to pay $50 to recover access to their files. Note: anyone infected with this ransomware or any ransomware should not pay the fee, because it does not remove the malware.

Along with the ransom activity, the malware may also install a keylogger for monitoring keystrokes, but what the malware does with the functionality is unknown. Malwarebytes says that its software for Mac is able to remove the ransomware, detected as Ransom.OSX.EvilQuest. Encrypted files will require a restore from a backup, though.

Similar ransomware was found in other pirated apps, and Mac users can avoid it by staying away from pirated apps and untrustworthy websites and forums that offer illicit downloads.

[Swordmaker]

Please note, this malware is not in anyway really effective as it is poorly written. Keep good backups and you will not have to pay the ransom. Best is not to try to steal software in the first place. DO NOT PIRATE!

[Swordmaker]

A poorly executed, hard to install, form of Mac Ransomware has been discovered in a Pirated version of Little Snitch on a Russian download site. First of all, DON’T PIRATE SOFTWARE, as your first line of defense against this invasion of your computer. Second, have good backups. Third, Don’t STEAL SOFTWARE! —PING!

Apple Ransomware Found in Pirated Little Snitch Installer from Russian Pirate Website
PING!

If you want on or off the Apple/Mac/iOS Ping List, Freepmail me.

[PAR35]

Thieves complaining about being ripped off. Sort of like someone calling the cops to complain about being shorted in a drug deal.

[bobcat62]

The malware author wants $50 for Little Snitch, which may be $25 from Objective Development.

BTW, both Objective Development products, Little Snitch & Launch Bar are top notch & worth the money.

[Larry Lucido]

Same thing happened with my Willard. Cost me ten extra bucks to get the seven key to work.

[Moonman62]

So the only entity to benefit is Apple by discouraging pirating.

[Company Man]

So the only entity to benefit is Apple by discouraging pirating

Hmm...

[Swordmaker]

So the only entity to benefit is Apple by discouraging pirating.

Really? How about the publishers of the pirated software? II assure you that the publisher of Little Snitch would benefit from their software not being pirated. You can’t be that stupid.

[Moonman62]

Sorry to hurt your tender feelings.

[CurlyDave]

Sorry to hurt your tender feelings.

Swordmaker is right on this one. Apple does not publish Little Snitch.

Don't be a doofus.

[Swordmaker]

Sorry to hurt your tender feelings.

You are not hurting me or my feelings. Apple does not publish this software, does not even recommend its use, so you’ve not shown anything except your abysmal ignorance.

[Moonman62]

You’re another one who is too sensitive.

[Moonman62]

If I didn’t hurt your feelings, then you must be a jerk. Sorry for the mistake.

[Swordmaker]

If I didn’t hurt your feelings, then you must be a jerk. Sorry for the mistake.

Looks to me that the jerk here is you. You are the one making unsupported claims. I just corrected your idiotic claim which was based in your Apple Derangement Syndrome. You have no evidence for your assertion or you are advocating the theft of software. Which is it?

[Moonman62]

[Swordmaker]

So far you are proving you ARE that stupid. Keep it up. It’s highly amusing. You haven’t shown how this has ANYTHING to do with Apple’s profits, since Apple doesn’t publish Little Snitch, and I don’t even think they promote users buying or installing it. In fact, Moonman62, Little Snitch is a free and safe download from its publisher. It’s only dangerous if a user downloads it from a pirate source which does not support it like its publisher does. Would you be saying the same thing about an announcement about RANSOM WARE found in Microsoft specific pirate ware???? Apparently not. You are apparently an advocate for stealing software, cutting the authors out of their just rewards for creating it. If so, you are a reprehensible thief, willing to benefit from the work of others while not being willing to pay for it. Doesn’t that make you an advocate of involuntary servitude to your desires, i.e., slavery? After all, they have to work for nothing so that YOU can have what YOU want for free! That makes you a hypocrite of the first order.

So, Moonman, which is it?

[Moonman62]

[Swordmaker]

Too bad you have zero ammunition to use on your target that has any impact. You can’t drop anything factual. You are just dropping cotton balls. . . Ignorance on parade.

Being over the wrong target also gets you shot down in flames, especially when you are completely in the wrong, Moonbat.

[Moonman62]

It’s funny.

I didn’t say you were wrong.

I said you were overly sensitive.

You denied it, but then you spent the next several hours proving that you are. I’d say you have anger issues, too.

[Swordmaker]

Hours? You are delusional. I’ve spent no more than five minutes responding to your tripe, Moonbat. You’re not worth even that. You are the invading troll in this thread, offering nothing of value, making worthless comments. Sensitivity has nothing to do with correcting idiocy.