MacOS users are warned to monitor their device security after discovering a potentially extremely harmful new form of ransomware. Known as ThiefQuest, the malware targets macOS devices like MacBooks, encrypting the entire system and stealing valuable data from the device. If a ransom is not paid to free the files, ThiefQuest is programmed to completely wipe the victim's device, removing everything on it, however there may be a way to stop it permanently.
MacOS Malware
ThiefQuest was first detected by researchers from security company SentinelOne, who were able to conduct a full investigation of the malware. The company first believed that the malware lacked finesse during its investigation of the ransom message that alerted ThiefQuest victims to its fate. As usual with such alerts, it orders victims to pay €50 within 72 hours if they want their files returned; however, he did not provide any contact email for decryption information. once paid, just a link to a readme containing details about a Bitcoin wallet to send the ransom funds to. SentinelOne's investigation revealed that ThiefQuest (originally known as EvilQuest) used a custom encryption routine, and that its code suggested that it was unrelated to the public-key encryption methods commonly used for such attacks. Investigators discovered that ThiefQuest was looking at the system /Users folder to try to steal files, with .doc, .pdf and .jpg elements all targeted among others. However, once found, these files were encrypted by a function that used a simple encryption tool that, when creating an encrypted file, simply added an additional data block containing the encryption/decryption key and key that encodes it. The attackers also failed to remove the function responsible for the decryption job, which means that recovering the original file was incredibly simple and allowed SentinelOne to create and publish a decryptor, which is free to download now. Via BleepingComputer