Security researchers from Cybereason revealed a new form of fileless ransomware discovered in the wild, called EvilQuest, specifically designed for macOS systems. The malware is capable of executing various nefarious commands like encryption of victim’s files and installing backdoors, granting attackers full access to the infected system. The ransomware disguises itself as a legitimate installer of popular macOS software and games, such as Little Snitch, Google Software Update, and Hackintosh, available on Torrent files and online forums. Once installed, EvilQuest runs and begins encrypting files such as photos, documents, videos, and music, then changes the file extension to “.evil,” which makes it nearly impossible for victims to regain access to their files without paying a ransom. The ransom note demands $50 in Bitcoin in exchange for a decryption key. Researchers also found the malware features additional capabilities, such as file exfiltration, keylogging, and creating a reverse shell, resulting in full control to download and execute any payload. The researchers speculate the malware may be related to another macOS ransomware discovered in 2017, Patcher. The attack highlights the lack of reliable native anti-malware tools for macOS users, making it essential for Apple’s developers to enhance its security mechanisms.
