Culture

This macOS ransomware disguises itself as legitimate system tasks

The only way to protect yourself is to keep multiple backups of your files, just in case.

Angry stressed african business man using laptop mad about broken computer online problem annoyed wi...
Shutterstock

You’re not alone if you think Apple products can’t get viruses. And to be fair there are a lot more written for Windows-based operating systems, but that’s simply because there are more Windows devices out there. Your Mac can indeed contract viruses — and your files are very much at risk if you do.

Just $50? A steal!Malwarebytes

This week a group of security workers discovered a particularly nasty piece of ransomware aptly named OSX.ThiefQuest that disguises itself as macOS and Google processes. The virus was originally called EvilQuest — a fitting name, to be sure — but was later changed by its discoverers because they found out a real game by that name already exists.

According to security researchers, OSX.ThiefQuest has been spreading through downloads of pirated macOS apps. In general, you should be able to avoid it by just staying away from those pirated apps. If you do think you’ve been infected, the Malwarebytes app should be able to remove it from your system.

How does it work? — The ransomware operates by pretending to be a legitimate patch file included with pirated downloads of popular software like Little Snitch (a packet sniffer) and Mixed In Key 8 (DJ software). That “patch” file worms its way into the hard drive as part of the installation process for both of these apps.

Once installed, the virus renames its processes to blend in with system tasks — with names like “CrashReporter” and “Google Software Update” making it very difficult to pick out the ransomware from the pack.

Then the ransomware starts encrypting random files on your computer. Researchers noted the virus messing with everything from Dock Settings files to the system clock. Then, if the virus is able to complete its processing, a ransom message asking for $50 in the next three days pops up. Some researchers noted that the popup even sometimes comes along with a fun robotic voice reading the ransom message.

Not particularly good ransomware — Despite being pretty annoying, OSX.ThiefQuest is very mild in comparison to the myriad of dangerous computer viruses your machine could contract.

In early research, OSX.ThiefQuest sometimes didn’t even make it to the ransom end-goal of its software. Sure, the macOS Finder froze up, the rainbow beach ball started spinning with reckless abandon — but the popup asking for $50 in the next three days never appeared.

Whether or not the popup appears, the random files encrypted by the virus are as good as gone. Researchers haven’t been able to crack the encryption yet. For that reason, the researchers note that the only real protection against the virus is to back up everything in multiple locations. That way you can wipe the infected files and start fresh.