Archive for July 2, 2020

Beware! A New Type Of Dangerous Mac Ransomware Is Making The Rounds

Posted in Commentary with tags on July 2, 2020 by itnerd

Wired has a story on a new type of Mac ransomware that is out there. Now if you don’t download pirated software, this isn’t a threat to you. At least not at the moment. But that is likely to change given how sophisticated this ransomware is:

The threat of ransomware may seem ubiquitous, but there haven’t been too many strains tailored specifically to infect Apple’s Mac computers since the first full-fledged Mac ransomware surfaced only four years ago. So when Dinesh Devadoss, a malware researcher at the firm K7 Lab, published findings on Tuesday about a new example of Mac ransomware, that fact alone was significant. It turns out, though, that the malware, which researchers are now calling ThiefQuest, gets more interesting from there. In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or “second stage,” attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

Though ThiefQuest is packed with menacing features, it’s unlikely to infect your Mac anytime soon unless you download pirated, unvetted software. Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton. K7’s Devadoss notes that the malware itself is designed to look like a “Google Software Update program.” So far, though, the researchers say that it doesn’t seem to have a significant number of downloads, and no one has paid a ransom to the Bitcoin address the attackers provide. […] Given that the malware is being distributed through torrents, seems to focus on stealing money, and still has some kinks, the researchers say it was likely created by criminal hackers rather than nation state spies looking to conduct espionage.

Clearly this is pretty sophisticated stuff and the means of distributing it will likely become more targeted over time as I cannot see the authors of this ransomware sticking with the method of hoping that you will download pirated software. I say that because whoever designed this clearly has something more “interesting” in mind.

Here’s some general advice for you. Back you your files every single day. That way if you get infected by ransomware, you can just nuke the computer and restore your files and go on with your life without paying the ransom. Which by the way, paying the ransom is something that you should never, ever do as it only encourages the scumbags who make ransomware. And you might not get your files back either. Which means that you handed these scumbags your money for no good reason.