EvilQuest — The Silent Killer Among MacOS

Vulnerability Details

EvilQuest is one of the newest ransomwares being discovered. However, unlike most types of ransomware, EvilQuest thrives on Apple computers using macOS. EvilQuest goes by a couple different names such as ThiefQuest and Mac.Ransom.K. This ransomware can wreak havoc if it gets into one of your macOS systems. This ransomware is the third variant of ransomware that has been found within a macOS system. This ransomware does a few different things once it is installed on the user’s computer.

The first thing it does is encrypt all of the user’s files using a fully symmetric key. Fortunately, since the key is symmetric, it can be easier to figure out the decryption key. EvilQuest then utilizes a few different python scripts to exfiltrate data back to the attacker. Lastly, EvilQuest has a script that searches the victim’s computer for SSH keys so that the attacker can log into the computer remotely.

Effected Systems

EvilQuest targets computers using macOS. Therefore, this type of ransomware will be seen mostly on Apple computers. This is extremely unique because the majority of ransomware out there targets Windows or Linux computers.

Remediation

There are a few precautions and steps that we recommend following in order to prevent this ransomware from entering your environment:

1. Do not download files or click links that are provided by an untrusted source

2. Utilize a next gen antivirus within your environment and install client scanners on every device.

3. Keep your macOS devices updated with the latest software and develop a regular patching schedule.

Doing all of these will greatly reduce the chance of obtaining this ransomware in your environment. It is important to remember that this ransomware focuses on targeting macOS devices. Therefore, if your organization only uses Windows devices, this ransomware is less of a threat.