MacOS users are being warned to monitor their device security following the discovery of a potentially hugely damaging new form of ransomware.
Known as ThiefQuest, the malware targets macOS devices such as MacBooks, encrypting the entire system and stealing valuable data on the device.
If a ransom is not paid to release the files, then ThiefQuest is programmed to completely wipe the victim’s device, deleting all items within – however there may be a way to stop it for good.
ThiefQuest was first detected by researchers at security firm SentinelOne, who were able to carry out a full investigation into the malware.
The company first believed the malware was lacking certain finesse when investigating the ransom message alerting ThiefQuest victims to their fate.
As usual with such alerts, it order victims to pay $50 within 72 hours if they wanted their files returned – however, it neglected to provide any contact email for information about decryption once this was paid, only a link to a ReadMe file containing details on a Bitcoin wallet to send the ransom funds to.
SentinelOne’s research found that ThiefQuest (initially known as EvilQuest) used a custom encryption routine, and that its code suggested it was unrelated to the public key encryption methods commonly used for such attacks.
The researchers discovered ThiefQuest was instead looking in the system’s /Users folder to try and steal files, with .doc, .pdf and .jpg items all targeted among others. However once found, these files were encrypted by a function that used a simple encoding tool that, when creating an encrypted file, simply added an extra data block containing the encryption/decryption key and the key that encodes it.
The attackers also failed to remove the function responsible for the decryption job, meaning getting the original file back was incredibly straightforward, and allowing SentinelOne to create and release a decryptor, which can be downloaded for free now.