Image supplied

Tech experts warn new Mac ransomware more sinister than it appears

The Mac malware, known as ‘ThiefQuest’ also has spyware capabilities that allow it to grab passwords and credit card numbers.


Image supplied

Security experts are warning of a new Mac ransomware being spread via pirated software from torrent sites.

Dinesh Devadoss, a malware researcher at the firm K7 Lab, first published findings about the new edition of Mac ransomware. Once installed, the malware — dubbed “ThiefQuest” — begins to spread itself “liberally” around the hard drive. Much of the nefarious software’s behaviour is still not really understood, however.

What does the ransomware do?

As with all ransomware, it eventually begins encrypting as many files as it can, locking users out of their digital property until a ransom is paid for their return.

In addition to ransomware, Devadoss says ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust key logger to grab passwords, credit card numbers, or other financial information as a user types it in.

The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or “second-stage,” attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

How can your computer get infected?

Though ThiefQuest is packed with menacing features, it’s unlikely to infect your Mac anytime soon unless you download pirated, unvetted software.

Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton.

K7’s Devadoss notes that the malware itself is designed to look like a “Google Software Update programme”.

The anti-malware company advises the public to always have a host of backup copies of their data stored on a separate hard drive. Doing so strips any power bad actors attempt to exercise when they use ransomware for blackmail, as you always have a copy of your data safely stored elsewhere.

Also read: Google: Here is how phishing and malware attacks are evolving