What’s worse than ransomware? A malware that poses as ransomware but operates as a different malware in the background. This type of malware is so insidious because of its misdirection component. While the victim is busy trying to figure out how to resolve the ransomware infection, the real malware is able to freely do its thing in the background without being detected.
This is exactly the case for EvilQuest ransomware. Since it is easy to detect when Mac has EvilQuest ransomware, it is easier for the actual malware to operate because the user is focused on the smokescreen ransomware.
What is EvilQuest Ransomware on Mac
EvilQuest ransomware, also known as ThiefQuest, is one of the newest strains of ransomware discovered last June 2020. It is usually bundled with pirated copies of popular Mac applications, including Little Snitch, Mixed in Key, and Ableton Live. Aside from app bundling, it has also been discovered disgusting as the Google Software Update program.
EvilQuest works by encrypting the victim’s documents and files using a strong cryptographic algorithm. You’ll be alerted to the presence of the ransomware when you get this pop-up message:
Your files are encrypted
Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted.
Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees.
Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop
It also drops a ransom note, entitled READ_ME_NOW.txt. The note reiterates what was already mentioned in the pop up message, then adds more details regarding the payment:
We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don’t believe this statement).
Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there’s a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included.
In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever.
Payment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is:
Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored.
THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE
More Than a Ransomware
When you look at the ransom note, you’ll immediately notice the very low ransom fee. It so negligible compared to the $980 ransom fee demanded by ransomware variants from the STOP/Djvu ransomware family or the $4,000 to $8,000 ransom fee of the Locky malware. Plus, you’ll notice that there is no contact information given on the note, so there’s no way for the victim to reach out to the attacker.
This makes you wonder whether the attackers are serious about the whole thing. Asking for $50 in ransom seems like a joke, making a lot of security experts doubtful about the true nature of this malware. And after further analysis, security researchers were able to confirm that the EvilQuest Ransomware is more than just ransomware.
It has functions and capabilities that go beyond encrypting files and asking for that measly ransom. Upon closer look, it turns out that EvilQuest also comes with keylogging and data theft functionalities. It is able to collect your images, various types of text documents, databases, presentations, spreadsheets, crypto wallets, backups, and other sensitive data. The malware is also able to determine whether it is currently running in a virtual machine and what security solutions are currently installed, allowing it to implement various persistence strategies.
When the ransomware scans your system and finds data that match any of the data formats, it immediately connects stealthily to its command service by opening a reverse shell. The malware uses this as a backdoor to download additional files on your Mac and export the collected data without your knowledge. The malware does this while locking down some of the system files at the same time, diverting your attention away from what it is actually doing.
Here are some of the extensions encrypted by this ransomware:
.pdf, .doc, .txt, .jpg, .pem, .pages, .cer, .py, .h, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .keynote, .js, .crt, .php, .m, .hpp, .pptx, .cpp, .cs, .sqlite3, .pl, .p, .p3, .wallet, .html, .dat, and others.
How to Remove EvilQuest Ransomware from Mac
Fortunately, a lot of security software is now able to detect the EvilQuest ransomware and purge it from your Mac. You can use your antivirus program to delete both the ransomware and the “extra” functions (reverse shell and keylogger functionality) from your computer. Malwarebytes is one of the effective tools to remove EvilQuest Mac ransomware. Wardle’s RansomWhere? tool is also able to detect and stop malicious encryption processes by the EvilQuest ransomware. Unfortunately, using these tools will lead to significant data loss if you don’t have a backup of your files.
If you don’t have a copy of your files, you can use the EvilQuest decryptor recently released by SentinelOne. You can check out the demo video here to help you figure out how to use it. However, you still need to remove the ransomware from your computer and clean up your Mac before using this decryptor because this will only unlock your files and not remove the malware.