Somewhat peculiarly, no researcher has given the ransomware a new name yet, though normally by now any fresh malware would have as many names as researchers who have initially looked at it. However, since the Malwarebytes software detects it as Ransom.OSX.EvilQuest, some have taken to calling it EvilQuest.
Devadoss tweeted about ransomware masquerading as the Google Software Update, adding that this had not been detected by any virus database.
#macOS #ransomware impersonating as Google Software Update program with zero detection.— Dinesh_Devadoss (@dineshdina04) June 29, 2020
522962021E383C44AFBD0BC788CF6DA3 6D1A07F57DA74F474B050228C6422790 98638D7CD7FE750B6EAB5B46FF102ABD@philofishal @patrickwardle @thomasareed pic.twitter.com/r5tkmfzmFT
Researchers normally upload a sample of new malware they find to virus databases, in order to help their fellow researchers in identifying the same. The most commonly used database, Virus Total, is owned by Google.
First appearance on 22 June 2020 pic.twitter.com/G5MHc8rzb3— ЩΣB BΣПDΣЯ ♣ (@W3B_B3ND3R) June 30, 2020
Given that it enters a system piggybacking on pirated packages, the ransomware which has not been given any name yet, does not need any other means of gaining access to a system.
Malwarebytes researcher Thomas Reed, in a detailed blog post about the new ransomware, said he had been told about an apparently malicious installer for Little Snitch, a host-based application firewall for macOS.
Error displayed after the keychain was encrypted by the ransomware. Courtesy Malwarebytes
Reed pointed out that there some major differences between the genuine Little Snitch installer and the pirated one carrying the ransomware. "To start, the legitimate Little Snitch installer is attractively and professionally packaged, with a well-made custom installer that is properly code signed," he said.
"However, this installer was a simple Apple installer package with a generic icon. Worse, the installer package was pointlessly distributed inside a disk image file."
He said that the ransomware did not seem to be designed very well, throwing up numerous hints that something was amiss with the system that was infected.
"The malware wasn’t particularly smart about what files it encrypted," Reed said. "It appeared to encrypt a number of settings files and other data files, such as the keychain files. This resulted in an error message when logging in post-encryption."
A screenshot of the encryption message posted to the RUTracker forum. Courtesy Malwarebytes
Another indication of things having changed was through the Dock resetting to its default style. "The Finder also began showing signs of trouble, with spinning beachballs frequently appearing when selecting an encrypted file," Reed noted. "Other apps would also freeze periodically, but the Finder freezes could only be managed by force quitting the Finder."
He said he had also not noticed any indication of a ransomware notice, which other researchers claimed to have noticed, some even saying that it was communicating using text-to-speech.
Ransomware threat researcher Brett Callow pointed out that the same technique — hiding in pirated software — was used by the Windows ransomware known as STOP.
"For a variety of reasons — not least of which is its relatively small market share, especially in enterprise environments — macOS is not a particularly attractive target for ransomware groups," Callow told iTWire.
"It's simply not going to be anywhere near as lucrative as good ol' Windows ransomware and, consequently, the criminals probably aren't going to invest significant resources in this campaign. That said, EvilQuest nonetheless serves as a reminder to Mac users that they're not immune from ransomware and other threats.
"Thankfully, this particular ransomware is trivially easy to avoid. Just steer clear of pirated software. And that's good advice no matter which operating system you use.
"Legal and moral issues aside, pirated apps, keygens and cracks remain a very popular distribution method for both ransomware and other types of malware. In fact, STOP — which is the world's most prevalent ransomware by a very long chalk — is spread exclusively in this way.
"Bottom line: using pirated software may well get you more than you bargained for, and not in a good way."