CERT-In said that the ransomware has been spreading since June 2020.
MacOS cybersecurity warning: The Indian Computer Emergency Response Team (CERT-In) has recently issued a warning against a ransomware called ThiefQuest or EvilQuest ransomware that attacks MacOS. In a virus alert issued on its website, CERT-In said that the ransomware has been spreading since June 2020. Here is all you need to know about the ransomware.
How does the ransomware work?
- According to CERT-In, the ransomware enters the MacOS laptop through legitimate applications on torrent websites like Ableton, Mixed in Key and Little Snitch. It added that once the installer has been launched, ThiefQuest would begin encrypting any file less than 800 KB with extensions like .pdf, .jpg, .txt, .doc, .pem, .pages, .h, .cer, .m, .crt, .php, .wallet, .zip, .hpp, .cpp, .html, etc.
- Once the encryption has been completed, it creates a .txt file titled “READ_ME_NOW.txt” which contains instructions about the ransom. A message also flashes on the laptop of the user that many of their important files have been encrypted which would not be recoverable without the decryption service of the hacker. It adds that the user would have to pay $50 to regain control of their files and the .txt file contains the instructions on how to pay the ransom to the hackers.
- CERT-In added that ThiefQuest not only encrypts the files on the system, but it also installs a keylogger, a remote shell and also steals files related to cryptocurrency wallet.
- It also noted that the instruction file left by the hackers does not contain any email ID through which the infected hosts can contact the hackers to request for decryption of files once the ransom has been paid. This means that hackers do not have any way to identify the victims who have already paid the ransom.
- The team reported that even after the victim has paid the ransom, the hackers can continue to access the victim’s computer, and it can exfiltrate files and keystrokes. That means that hackers can continue to spy on the victim’s computer.
- Apart from this, CERT-In said that ThiefQuest also downloads Python scripts under the guise of GIFs and then runs them. If the files match the search criteria, it would base64 encode the files’ contents and then send it to the C&C server.
How can ThiefQuest attack be prevented?
CERT-In also enlisted a slew of measures that MacOS users can take to prevent such an attack.
- The team advised users to disable remote access when it is not in use.
- The users must ensure that all applications and OS are updated regularly.
- CERT-In also advised users to not open any attachments in an unsolicited email, even if the mail is from someone in the contact list. Moreover, any URL in unsolicited emails should not be opened. If the URL seems genuine, then instead of going to the website via the email, the users should close the email and directly go to the website via browser.
- Users should consider encrypting files which contain confidential information since the ransomware seems to attack only common file types.
- Regular backups of all critical data should be performed so that the data loss is limited and the recovery process is quick. Preferably, the data should be backed up on a separate device and it should be offline.
- Ad blockers should be installed.
- In an enterprise environment, execution of power shell/ WSCRIPT should be restricted. The installation and usage of the latest version of PowerShell should be ensured, and it should have enhanced logging enabled.