ThiefQuest Ransomware Masks its True Intentions

What is special about ThiefQuest?

Hidden motives

• Researcher Patrick Wardle discovered keylogging and backdoor code in the new ransomware strain which separates it from most other strains.
• The ransom note left behind demands for $50 from the victim which is an unusually small ransom demand. Moreover, it does not provide any email address to contact the operators for ransom payment.
• Also, Wardle found that the decryption routine present in the malware was never executed, meaning it was already broken.
• This indicates that ransomware functionality was only a distraction to hide its true intention of exfiltrating sensitive user data.
• It includes a Python script that looks for for files with certain extensions, such as .pdf, .doc, .jpg, etc in the /Users/ folder

Distribution method

• The ransomware is in distribution since the beginning of June 2020.
• The propagation is through a pirated macOS software uploaded on online forums and torrent platforms. 
• The ransomware has been spotted hidden inside a software package known as Google Software Update.
• Samples have been found in a pirated version of a popular DJ software Mixed In Key and inside the macOS security tool - Little Snitch.
• Furthermore, there are possible apps that are leveraged to distribute EvilQuest. 

Stay safe but how?

• Stick to trusted third-party developers, along with the official Mac App Store.
• Maintain a reliable set of data backups.

The takeaway