New Mac Ransomware Found in Pirated Mac Apps

There's a new 'EvilQuest' Mac ransomware variant that's spreading through pirated Mac apps, according to a new report shared today by Malwarebytes. The new ransomware was found in pirated download for the Little Snitch app found on a Russian forum.


Right from the point of download, it was clear that something was wrong with the illicit version of Little Snitch, as it had a generic installer package. It installed the actual version of Little Snitch, but it also installed an executable file named "Patch" into the /Users/Shared directory and a post-install script for infecting a machine.

The installation script moves the Patch file into a new location and renames it CrashReporter, a legitimate macOS process, keeping it hidden in Activity Monitor. From there, the Patch file installs itself in several spots on the Mac.

The ransomware encrypts settings and data files on the Mac, like Keychain files, resulting in an error when attempting to access the iCloud Keychain. The Finder also malfunctioned after installation, and there were problems with the dock and other apps.

Malwarebytes found the ransomware to work poorly and was not able to get instructions on paying the ransom, but a screenshot found on the forums where the malicious software originated suggests it's meant to prompt users to pay $50 to recover access to their files. Note: anyone infected with this ransomware or any ransomware should not pay the fee, because it does not remove the malware.

Along with the ransom activity, the malware may also install a keylogger for monitoring keystrokes, but what the malware does with the functionality is unknown. Malwarebytes says that its software for Mac is able to remove the ransomware, detected as Ransom.OSX.EvilQuest. Encrypted files will require a restore from a backup, though.

Similar ransomware was found in other pirated apps, and Mac users can avoid it by staying away from pirated apps and untrustworthy websites and forums that offer illicit downloads.

Top Rated Comments

(View all)
Avatar
1 day ago at 11:47 am
Stick to legit apps from legit services and you'll be fine. Also keep an eye to make sure the apps are properly signed.

To have this happen you have to bypass macOS security and allow the non-signed installer run. It's like giving the keys to your house to some questionable person on the street and then being surprised when they take your stuff.
Score: 27 Votes (Like | Disagree)
Avatar
1 day ago at 11:47 am
While more ransomware on Macs is not welcome pirates get what pirates get.
Score: 24 Votes (Like | Disagree)
Avatar
1 day ago at 11:49 am
That's what you get for pirating apps.
Score: 17 Votes (Like | Disagree)
Avatar
1 day ago at 11:56 am


Not to worry, this is what developers want apparently, rather than paying 30% to Apple.

I'm not sure you understand the situation fully...
Score: 17 Votes (Like | Disagree)
Avatar
1 day ago at 11:48 am
in any case, if this happens to you, a 2 step procedure will save the day:
- boot into internet recovery (can't be sure if the on-disk recovery data is compromised)
- reinstall from timecapsule
Score: 16 Votes (Like | Disagree)
Avatar
1 day ago at 11:50 am
No sympathy for anyone that pirates software.
Score: 14 Votes (Like | Disagree)

Top Stories

Kuo: iPhone 12 Models Won't Include Charger in Box, 20W Power Adapter Will Be Sold Separately

Sunday June 28, 2020 7:56 am PDT by
iPhone 12 models will not include EarPods or a power adapter in the box, analyst Ming-Chi Kuo said today in a research note obtained by MacRumors. This lines up with a prediction shared by analysts at Barclays earlier this week. Kuo said that Apple will instead release a new 20W power adapter as an optional accessory for iPhones and end production of its existing 5W and 18W power adapters...

Rosetta 2 Benchmarks Surface From Mac Mini With A12Z Chip

Monday June 29, 2020 7:48 am PDT by
While the terms and conditions for Apple's new "Developer Transition Kit" forbid developers from running benchmarks on the modified Mac mini with an A12Z chip, it appears that results are beginning to surface anyhow. Image Credit: Radek Pietruszewski Geekbench results uploaded so far suggest that the A12Z-based Mac mini has average single-core and multi-core scores of 811 and 2,781...

Kuo: Apple to Launch 10.8-Inch iPad Later This Year, 8.5-Inch iPad Mini in 2021

Sunday June 28, 2020 9:04 am PDT by
Apple plans to launch a new 10.8-inch iPad in the second half of 2020, followed by a new 8.5-inch iPad in the first half of 2021, oft-reliable analyst Ming-Chi Kuo said today in a research note obtained by MacRumors. Kuo did not specify if the 10.8-inch iPad model will be a new version of the existing 10.2-inch iPad or the 10.5-inch iPad Air, but he has previously said that the 8.5-inch...

Apple's A12Z Under Rosetta Outperforms Microsoft's Native Arm-Based Surface Pro X

Monday June 29, 2020 10:31 am PDT by
Apple's Developer Transition Kit equipped with an A12Z iPad Pro chip began arriving in the hands of developers this morning to help them get their apps ready for Macs running Apple Silicon, and though forbidden, the first thing some developers did was benchmark the machine. Multiple Geekbench results have indicated that the Developer Transition Kit, which is a Mac mini with an iPad Pro chip, ...

Developers Begin Receiving Mac Mini With A12Z Chip to Prepare Apps for Apple Silicon Macs

Monday June 29, 2020 5:43 am PDT by
As part of WWDC last week, Apple announced that it will be switching to its own custom-designed processors for Macs starting later this year. As part of this transition, the company is allowing developers to apply for a modified Mac mini with an A12Z chip and 16GB of RAM to develop and test their apps on a Mac with Arm-based architecture. As noted on Twitter and in the MacRumors forums, some...

The New York Times Ends Apple News Partnership and Pulls All Articles

Monday June 29, 2020 11:17 am PDT by
The New York Times today announced that it is pulling out of Apple News, as the service does not "align with its strategy of building direct relationships with paying readers." Starting today, articles from The New York Times will no longer show up in the Apple News app. The news site says that Apple has given it "little in the way of direct relationships with readers" and "little control...

'iPhone 12 Pro' Models Could Be Capable of Shooting 4K Video at 120fps and 240fps

Monday June 29, 2020 3:57 am PDT by
Two new camera modes could be coming to some models of Apple's "iPhone 12," according to YouTube channel EverythingApplePro and Max Weinbach. Specifically, the video modes are said to include the ability to shoot 4K video at 120fps and 240fps. The new modes are thought to be coming to Apple's higher-end "iPhone 12 Pro" and "iPhone 12 Pro Max". Weinbach reportedly tore down the Camera app...

Facebook Begins Dark Mode Rollout for iOS

Monday June 29, 2020 1:18 am PDT by
Facebook has begun rolling out Dark Mode support for its flagship iOS app, which comes just over a year after the Facebook Messenger app also gained Dark Mode support. Photo via 9to5Mac After evidence showing the company had been working on the feature surfaced in April, select users are now able to activate the feature under Settings & Privacy within the Menu tab. Users are able to choose...

TikTok App to Stop Accessing User Clipboards After Being Caught in the Act by iOS 14

Thursday June 25, 2020 4:06 pm PDT by
A new feature in iOS 14 alerts users when apps read the clipboard, and it turns out some apps have been reading clipboard data excessively. Image via Jeremy Burge TikTok users who upgraded to iOS 14, for example, quickly noticed constant alerts warning them that TikTok was accessing the clipboard every few seconds. After being caught, TikTok now says that it's removing the feature. Okay so ...

Apple Launches 'Path to Apple Card' Program to Help Declined Applicants Get Approved

Monday June 29, 2020 12:30 pm PDT by
Apple today launched a new Apple Card program and website that are designed to help people who have their Apple Card applications declined improve their credit to qualify, reports TechCrunch. Starting today, declined Apple Card applicants will begin seeing emails that offer the Path to Apple Card program, which is opt-in and can run for four months. It uses the information from the initial...