Security Market Segment LS
Wednesday, 01 July 2020 09:04

Man bites dog: new ransomware for Mac appears, transmits in pirated software Featured

Man bites dog: new ransomware for Mac appears, transmits in pirated software Image by StockSnap from Pixabay

New ransomware for the Mac — a rarity in an era when Microsoft Windows is overwhelmingly the platform of choice for this class of malware — that spreads through pirated software has been reported by researchers, with K7 Lab's Dinesh Devadoss the first to file a report.

Somewhat peculiarly, no researcher has given the ransomware a new name yet, though normally by now any fresh malware would have as many names as researchers who have initially looked at it. However, since the Malwarebytes software detects it as Ransom.OSX.EvilQuest, some have taken to calling it EvilQuest.

Devadoss tweeted about ransomware masquerading as the Google Software Update, adding that this had not been detected by any virus database.

Researchers normally upload a sample of new malware they find to virus databases, in order to help their fellow researchers in identifying the same. The most commonly used database, Virus Total, is owned by Google.

While Devadoss sent his tweet on 30 June, another researcher who goes by the Twitter handle W3B_B3ND3R, said he had noticed it eight days earlier.

Given that it enters a system piggybacking on pirated packages, the ransomware which has not been given any name yet, does not need any other means of gaining access to a system.

Malwarebytes researcher Thomas Reed, in a detailed blog post about the new ransomware, said he had been told about an apparently malicious installer for Little Snitch, a host-based application firewall for macOS.


Error displayed after the keychain was encrypted by the ransomware. Courtesy Malwarebytes

Reed pointed out that there some major differences between the genuine Little Snitch installer and the pirated one carrying the ransomware. "To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed," he said.

"However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file."

He said that the ransomware did not seem to be designed very well, throwing up numerous hints that something was amiss with the system that was infected.

"The malware wasn’t particularly smart about what files it encrypted," Reed said. "It appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in post-encryption."

encryption mac

A screenshot of the encryption message posted to the RUTracker forum. Courtesy Malwarebytes

Another indication of things having changed was through the Dock resetting to its default style. "The Finder also began showing signs of trouble, with spinning beachballs frequently appearing when selecting an encrypted file," Reed noted. "Other apps would also freeze periodically, but the Finder freezes could only be managed by force quitting the Finder."

He said he had also not noticed any indication of a ransomware notice, which other researchers claimed to have noticed, some even saying that it was communicating using text-to-speech.

Ransomware threat researcher Brett Callow pointed out that the same technique — hiding in pirated software — was used by the Windows ransomware known as STOP.

"For a variety of reasons — not least of which is its relatively small market share, especially in enterprise environments — macOS is not a particularly attractive target for ransomware groups," Callow told iTWire.

"It's simply not going to be anywhere near as lucrative as good ol' Windows ransomware and, consequently, the criminals probably aren't going to invest significant resources in this campaign. That said, EvilQuest nonetheless serves as a reminder to Mac users that they're not immune from ransomware and other threats.

"Thankfully, this particular ransomware is trivially easy to avoid. Just steer clear of pirated software. And that's good advice no matter which operating system you use.

"Legal and moral issues aside, pirated apps, keygens and cracks remain a very popular distribution method for both ransomware and other types of malware. In fact, STOP — which is the world's most prevalent ransomware by a very long chalk — is spread exclusively in this way.

"Bottom line: using pirated software may well get you more than you bargained for, and not in a good way."



Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.




Denodo, the leader in data virtualisation, has announced a debate-style three-part Experts Roundtable Series, with the first event to be hosted in the APAC region.

The round table will feature high-level executives and thought leaders from some of the region’s most influential organisations.

They will debate the latest trends in cloud adoption and technologies altering the data management industry.

The debate will centre on the recently-published Denodo 2020 Global Cloud Survey.

To discover more and register for the event, please click the button below.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Webinars & Events