Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

New 'EvilQuest' ransomware is actively targeting macOS users in the wild

EvilQuest is a new piece of Mac ransomware, but also has capabilities that could allow attackers full access of infected Macs.

A new piece of Mac ransomware distributed via pirated software, dubbed "EvilQuest," is actively targeting macOS users in the wild.

Although ransomware specifically aimed at Mac users are particularly rare, new instances of malicious software that encrypt user files and demands a ransom to unlock them do surface from time to time.

On Tuesday, several security researchers published analysis and reports of the newly discovered "OSX.EvilQuest" ransomware. First spotted by independent malware researcher Dinesh Devadoss, EvilQuest is said to have been circulating in the wild since the start of June 2020, ZDNet reported.

EvilQuest has a few nefarious additions that make it unique among ransomware examples. In addition to maliciously encrypting a user's files and charging money to unlock them, EvilQuest also installs a keylogger and a reverse shell on a system, along with code that steals cryptocurrency wallet files.

The EvilQuest ransom note. Credit: Patrick Wardle
The EvilQuest ransom note. Credit: Patrick Wardle

According to former NSA hacker and Jamf macOS security researcher Patrick Wardle, those capabilities could allow attackers "full control over an infected host."

As with previous pieces of Mac ransomware, it appears that EvilQuest is distributed via pirated software. Researchers have found it bundled in a package called Google Software Update, while others have seen it hidden in pirated versions of DJ app Mixed In Key and security tool Little Snitch.

According to Malwarebytes Mac & Mobile chief Thomas Reed, the ransomware also attempts to modify files in Google Chrome's update mechanism in an effort to gain persistence on an infected machine.

This the third instance of a piece of ransomware surfacing that specifically targets macOS users, following the discovery of Patcher in 2017 and KeRanger in 2016.

How to avoid or mitigate the EvilQuest ransomware

At this point, it appears that EvilQuest is solely being distributed through torrenting websites and pirated software. So if you stick to the Mac App Store or third-party developers that you trust, you should be able to avoid getting it.

There are also two apps that can mitigate the risks of EvilQuest for users.

Wardle's free and open-source RansomWhere? app can generically detect and stop ransomware on macOS. The latest version of Malwarebytes can also detect and mitigate EvilQuest before it does any damage.