Home Malware Programs Ransomware EvilQuest Ransomware

EvilQuest Ransomware

Posted: July 1, 2020

The EvilQuest Ransomware is a combination of file-locking Trojan, backdoor Trojan and spyware. The EvilQuest Ransomware infiltrates macOS systems, holds their files for ransom after encrypting them, and collects information and creates a backdoor for remote attackers. Users of macOS devices should protect themselves with robust anti-malware services for removing the EvilQuest Ransomware, and backups for compensating for any data encryption.

Trojans Questing for Cash from Mac Users

Threats attacking Mac-brand environments are on a gradual rise, but make up a minority of file-locking Trojans. The EvilQuest Ransomware, like the Fonix Ransomware or CoronaVirus Ransomware, isn't a part of a typical Ransomware-as-a-Service group, and its distribution seems not reliant on hiring out to third parties. With activity since early June, the EvilQuest Ransomware is leveraging multiple styles of attacks against macOS users, and gaining access to them through software piracy.

The EvilQuest Ransomware's distribution models that malware experts are verifying involve bundling itself with leaked versions of premium software, such as the Little Snitch firewall tool or Mixed In Key DJ software. The attackers are acquiring victims randomly by spreading these threatening installers on torrent networks and Russian Web forums.

Although some samples of the EvilQuest Ransomware include bugs that prevent its installation or attacks from occurring, the Trojan is functional in most infection attempts. In terms of its payload, malware researchers can point out the following three, crucial features:

The EvilQuest Ransomware encrypts – and, therefore, locks – various media types (documents, pictures, cryptocurrency wallet files, spreadsheets, Web pages, and others) immediately, before displaying a pop-up alert to the victim. It also creates a ransom note in a text file with more details.

The Trojan also dips into the increasingly popular option of data theft by implementing a keyboard input-recording keylogger.

Lastly, it creates a backdoor for helping attackers control the computer, in this case, via a reverse shell.

Many file-locker Trojans don't include the last two attacks, which show no visually-overt symptoms. Consequently, a victim may consider the Trojan as a non-threat after recovering. Such an attitude leaves the EvilQuest Ransomware positionally rife with exploitative potential.

Keeping the Waft of Evil Out of Your Files

The EvilQuest Ransomware, like the STOP Ransomware RaaS and similar threats, illuminates the value of safe downloading behavior. Users who ignore game cracks, collected movies, illicit copies of premium software, etc., are at much less risk from the EvilQuest Ransomware infections. Additionally, although there isn't a free decryptor for the EvilQuest Ransomware, most macOS anti-malware services should flag the threat appropriately.

Since the EvilQuest Ransomware includes multiple attacks with different purposes, users require varied counter-responses to any infections. Backups are the long-recommended solution to file-locking through encryption, rather than the gamble of paying ransoms like the EvilQuest Ransomware's Bitcoin demands. Users also should disconnect from the internet until after comprehensive disinfection and change any at-risk passwords. Logging in to Web accounts on a compromised device is almost a guarantee of delivering it to the hands of the EvilQuest Ransomware's attacker, along with any other information that the user types in the meanwhile.

As noted, traditional anti-malware programs should delete the EvilQuest Ransomware, like the many similar, if less flexible, types of file-locking Trojans.

The EvilQuest Ransomware isn't the first foray into macOS for Trojans, but is part of a small group, just like the NetSupport Manager RAT and the CallMe backdoor Trojan. With an uncreative but useful set of features for turning computers into cash, it shows that growing macOS demographics can mean growth in the threat landscape.

Loading...