This macOS malware can wipe your entire device

News
By
published

ThiefQuest ransomware wants to steal your data and wipe your macOS device - but there's a way to stop it

(Image credit: Shutterstock)

MacOS users are being warned to monitor their device security following the discovery of a potentially hugely damaging new form of ransomware.

Known as ThiefQuest, the malware targets macOS devices such as MacBooks, encrypting the entire system and stealing valuable data on the device.

If a ransom is not paid to release the files, then ThiefQuest is programmed to completely wipe the victim's device, deleting all items within - however there may be a way to stop it for good.

MacOS malware

ThiefQuest was first detected by researchers at security firm SentinelOne, who were able to carry out a full investigation into the malware.

The company first believed the malware was lacking certain finesse when investigating the ransom message alerting ThiefQuest victims to their fate. 

As usual with such alerts, it order victims to pay $50 within 72 hours if they wanted their files returned - however, it neglected to provide any contact email for information about decryption once this was paid, only a link to a ReadMe file containing details on a Bitcoin wallet to send the ransom funds to.

SentinelOne's research found that ThiefQuest (initially known as EvilQuest) used a custom encryption routine, and that its code suggested it was unrelated to the public key encryption methods commonly used for such attacks.

The researchers discovered ThiefQuest was instead looking in the system's /Users folder to try and steal files, with .doc, .pdf and .jpg items all targeted among others. However once found, these files were encrypted by a function that used a simple encoding tool that, when creating an encrypted file, simply added an extra data block containing the encryption/decryption key and the key that encodes it.

The attackers also failed to remove the function responsible for the decryption job, meaning getting the original file back was incredibly straightforward, and allowing SentinelOne to create and release a decryptor, which can be downloaded for free now.

Via BleepingComputer

TOPICS
Mike Moore
Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.