Computer security researchers uncovered a ransomware strain that exclusively targets computers running the macOS operating system. Known as OSX.ThiefQuest, the new Mac ransomware variant differs from other ransomware threats on its operations. Apart from encrypting files, the macOS ransomware installs a keylogger and a reverse shell on the infected devices. ThiefQuest also steals cryptocurrency wallet-related user files from the infected hosts. Researchers also found that the ransomware operators do not track payments and are unlikely to provide the decryption keys even if their customers paid the ransom.
Indicators of compromise of ThiefQuest macOS ransomware
Patrick Wardle, Principal Security Researcher at Jamf said ThiefQuest macOS ransomware maintains control over the infected host even after payment of the ransom. ThiefQuest threat operators continue to collect keystrokes and execute custom commands from its command-and-control server, which was located at andrewka6.pythonanywhere.com.
The ransomware disguises itself under various names such as “com.apple.questd” and “CrashReporter.” It can also detect whether it was running on a virtual machine and if any antivirus was running on the system to avoid detection.
Wardle said the macOS ransomware starts encrypting files immediately it is executed. Once encryption completes, the ransomware displays a popup informing the user of the infection and encryption of their files. The message then directs the user to open a ransom note stored on the desktop.
ThiefQuest also updates the Google Chrome update files allowing the ransomware to run whenever the files are executed. However, Reed said that activity was still under investigation because Google Chrome overwrites those files once it discovered an external application had modified them.
The ransomware completes the process by installing a keylogger and a reverse shell to record the user’s keystrokes and execute custom commands. The macOS ransomware also steals files related to cryptocurrency wallet applications.
The security experts believe the macOS ransomware was initially designed as spyware and that the encryption module was later added.
Removing ThiefQuest ransomware infection
The researchers found that the ransomware operators did not have contact information or a method of tracking payments, thus unable to know which user paid the ransom. Consequently, the researchers believe the demand for a ransom was a smokescreen to dupe desperate users into sending money without the hope of ever receiving the decryption keys. The researchers advised any affected user to consider their files lost and avoid paying the ransom.
Working together with the director of Mac & Mobile at Malwarebytes, Thomas Reed, and macOS security researcher at SentinelOne, Phil Stokes, the researchers are working to create a decryptor that would save Mac users from paying the ransom.
Wardle created a macOS ransomware protection tool name RansomWhere that can detect ThiefQuest ransomware. Malwarebytes for Mac also can protect mac devices from this ransomware variant, according to Reed.
Because most people consider Macs to be immune to malware compared to windows, Apple computers have become a lucrative target for cybercriminals who exploit macOS users’ false sense of security. Consequently, there are many ransomware variants targeting macOS users such as Gopher, Petya, KeRanger, Patcher, and Mabouia.
James McQuiggan, security awareness advocate at KnowBe4 commented that it was not surprising that threat actors were exclusively targeting Mac devices.
“It was only a matter of time before ransomware targeting Mac OS X became available in the wild, and it’s not a simple ransomware attack. Not only will the attack make your data unavailable, but it also contains other malware to steal credentials and other remote access functionality. For years, the Mac OS has provided a secure and private system for its end users. Cybercriminals are taking advantage of access to the system to enable the keyloggers to capture user credentials and passwords, which may not be evident via other attack methods.”
McQuiggan says the only guaranteed method of removing the ransomware was to format the infected devices. he says that recovering the files or paying the ransom could give users a false sense of relief only for the infection to reoccur.
“Cyber criminals may leave additional files undetectable by anti-malware systems and could result in further unauthorized access or data theft.”
He advises individual computer users and organizations to keep updated on the latest malware and social engineering threats.
Mode of distribution of ThiefQuest
Dinesh Devadoss, a researcher at K7 Lab security said the macOS ransomware had been in circulation from early June this year. Reed said ThiefQuest was spreading through pirated macOS software shared on various torrent streaming sites and online forums. Some of the apps used to spread the macOS ransomware include the DJ mixing software Mixed In Key, Ableton, and the Mac security tool Little Snitch. The researchers said that apart from the listed apps, more infected apps existed in the wild. To avoid infection, users should avoid downloading pirated files and any files from suspicious sources and torrent websites.