Viruses are uncommon enough on Apple’s platforms that users generally don’t worry about them, but security researchers this week discovered a rarity — Mac ransomware that’s both spreading in the wild and potentially dangerous because of the way it hides on an infected machine. Disclosed by Dinest Devadoss, Patrick Wardle, and Malwarebytes’ Thomas Reed, the EvilQuest ransomware appears to be spreading through pirated macOS apps, disguising its background processes as Apple’s CrashReporter or Google Software Update.
Downloaded alongside an app such as the packet sniffer Little Snitch or Mixed in Key 8 DJ software, EvilQuest masks itself first as an innocuous “patch” file within the Mac installer, then renames itself to blend in with system tasks that would be running thanks to macOS or Google’s Chrome browser. If the ransomware works, it spreads around the computer’s hard drive, then locks infected files behind a demand for $50 within three days, and a threat that the files will remain encrypted.
However, there are questions as to how well EvilQuest actually functions on its own, and what the full extent of its capabilities are. A key logger has been discovered within the ransomware, but the encryption system is still somewhat unknown.
For the time being, it appears that the only way to infect a Mac with EvilQuest is to download certain pirated applications, which provides a simple mechanism to stop the ransomware from spreading: Don’t pirate software. Users who think they might be infected can use Malwarebytes’ Mac app to remove it, and the firm suggests keeping “at least two backup copies of all important data,” one detached from the Mac at all times to avoid attacks on connected drives.