Mistakes made by the developer of the MacOS ThiefQuest ransomware allows the recovery of encrypted files without paying any ransom. The ransomware, originally named EvilQuest, deploys the encryption routine immediately after infecting the system. It does not offer a method of contacting the attackers after paying the ransom, so the infected files will not be unlocked even if a ransom was paid. The ransom note states that the victim has 72 hours to pay the $50 ransom to unlock the files and does include a static Bitcoin wallet address to send the money to, but does not include an email address or a website to contact the attackers. The researchers at BleepingComputer believe that the true purpose of ThiefQuest is to search for and steal files from infected systems. The researchers have found a data exfiltration script that steals files with a variety of extensions. Security researchers have seen the malware distributed in the wild for more than a month, usually hidden inside pirated software shared on torrent portals and online forums.
Analyst Notes
Since the ransomware portion of the malware was poorly coded, the team at SentinelOne has been successful in creating a decryptor for ThiefQuest. However, a new report from MalwareBytes shows that besides encrypting files, ThiefQuest also infects other local files in a virus-like behavior so additional cleanup must be completed after decryption. It appears that the primary method of distribution is through pirated software shared on torrent portals and online forums. With that being said, using any pirated software should be highly discouraged if not completely banned. It is also advisable for businesses to employ security staff to monitor employee workstations for unauthorized software and unusual behaviors, or use a managed security service, such as the Binary Defense Security Operations Center (SOC), that can detect and defend from an organization’s endpoints in real-time from malicious programs such as these.
To read more: https://www.bleepingcomputer.com/news/security/thiefquest-info-stealing-mac-wiper-gets-free-decryptor/
The free decryptor can be downloaded here: https://github.com/Sentinel-One/foss/tree/master/s1-evilquest-decryptor
