The victims of the ThiefQuest (EvilQuest) ransomware victims can recover their encrypted files without needing to pay the ransom due to the availability of a free decryptor.
Early July, security expert K7 Lab malware researcher Dinesh Devadoss uncovered a new piece of ransomware dubbed EvilQuest designed to encrypt macOS systems, it is also able to install additional payloads and potentially take over the infected machine.
Unlike other MacOSx threats, EvilQuest also installs a keylogger, a reverse shell, and steals cryptocurrency wallets from infected hosts.
According to the experts, the EvilQuest ransomware has been distributed in the wild since the beginning of June.
Threat actors have started distributing the ransomware in tainted pirated macOS software uploaded on torrent portals and online forums.
Once encrypted the file on the infected host, a popup is displayed to the victim, informing it that its files have been encrypted.
The victims is directed to open a ransom note dropped on their desktop that includes instructions for the payment of the ransomware.
The ransomware currently targets the following file extensions, as reported by ZDNet:
.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, .keynote, .js, .sqlite3, .wallet, .dat
MalwareBytes researchers noticed that the malware also attempts to modify some files specific that are part of GoogleSoftwareUpdate and attempt to use them to achieve persistence on infected hosts.
Patrick Wardle has found some samples of malware that have been hidden inside a pirated version of popular DJ software Mixed In Key, while Reed found it inside the macOS security tool Little Snitch.
Now security firm SentinelOne has released a free decryptor software that allows victims of the TiefQuest ransomware to recover their encrypted files.
SentinelOne researchers analyzed the source code of the ransomware and were able to make reverse engineering of the encryption mechanism.
“Of particular interest from a research perspective is the custom encryption routine. A cursory inspection of the malware code suggests that it is not related to public key encryption. At least part of it uses a table normally associated with RC2.” reads the post published by SentinelOne. “The possible usage of RC2 and time-based seeds for file encryption led me to look deeper at the code, which allowed me to understand how to break the malware’s encryption routine. As a result, our team created a decryptor for public use.”
“Researchers say that while ThiefQuest encrypts files as soon as it infects a macOS system, the malware does not come with a mechanism for tracking users who paid the ransom demand, nor does it provide a contact method so users can contact the ThiefQuest team with details about their payment and receive instructions on how they could unlock their files.” reads the post published by ZDNet.
This means that victims of the ThiefQuest ransomware were not able to recover their files, even if they paid the ransom demand.
SentinelOne has released the ThiefQuest decryptor binary and it plans to release its code as open-source.
(SecurityAffairs – malware, ThiefQuest ransomware)