July 29th, 2020
Long gone are the days when macOS users were immune to viruses and other forms of malware, and with so many people now
as been infecting Apple computers since early June; however, it was first identified and discussed later in the month by Dinesh Devadoss [1]. Since Devadoss’s announcement, other security professionals have begun investigating the ransomware, which is how we have been tracking infections and changes to the malware.
working from home, hackers appear to be renewing their efforts with vigor. One example is a virus called “ThiefQuest”.
What Is ThiefQuest?
ThiefQuest is a type of ransomware that was occasionally called EvilQuest; however, most people prefer the former because of a similar infection from the early 2000s. When executed on a system, ThiefQuest encrypts the user’s files, rendering them inaccessible. A text file appears to alert the victim that the hackers will restore access to their data if the victim makes a payment to a specific Bitcoin wallet. Aside from encrypting the user’s files, ThiefQuest also scans the infected system for cryptocurrency wallet information.
The ransomware is typically bundled with software that is downloaded via torrents or peer-to-peer services. ThiefQuest was hidden in pirated versions of macOS as well as music apps Ableton and Mixed In Key. Security tool Little Snitch has also been identified as a source of the infection.
ThieftQuest Timeline and Changes
ThiefQuest h
This particular type of ransomware has quickly morphed into something else. New versions do not appear to encrypt files or demand a ransom; although, cryptocurrency information may still be at risk. Security analyst Thomas Reed of SentinelOne has identified signs of the infection in some update files of Google’s Chrome browser, which may be one way that hackers have designed the malware to run on a victim’s system [2]. However, it’s not an efficient method of execution.
Why Is ThiefQuest Significant?
Some implications of ThiefQuest are evident from the start. Anyone would be inconvenienced without access to their data, but when the system is used for professional purposes, profits and clients are on the line. Productivity will drop as victims try to recover data or have to redo work when recovery isn’t possible.
While some victims may be quick to pay up, there’s no guarantee that hackers will reinstate access to their files. In fact, the ransom note that comes with ThiefQuest offers no way for the victim to contact the hackers or verify payment. Furthermore, ThiefQuest victims can still lose money even if they pay the ransom because the hackers can steal the victim’s cryptocurrency wallet information, instead.
Security researchers are currently investigating the malware for any vulnerability that would allow users to regain access to their files. In the meantime, victims should consider their data permanently lost. Even paying for data recovery services won’t be of help if researchers can’t find a weakness in ThiefQuest.
As ThiefQuest evolves, it may become even more difficult to beat, and if the malware inspires other hackers, we may see an influx of similar ransomware in the near future. Ransomware is as effective at allowing hackers to steal money and data as it is costly for victims. One estimate puts the financial cost of ransomware higher than $75 billion annually [3].
Avoiding The Consequences of Ransomware Like ThiefQuest
ThiefQuest is a prescient reminder of how vulnerable we are online and how our actions can increase risk. When it comes to working remotely, it’s especially important for employees to only use approved hardware and software and to acquire software from reputable sources to avoid malware that may tag along with files.
This new ransomware also reminds us that we need frequent and redundant data backups. Those victims who do have data backups can restore from those backups and return to work without paying the ransom, while others who do not have backups or whose backups are outdated may have permanently lost data. Working directly from the cloud is one solution, while some companies may prefer solutions that back up data to the cloud, instead. Finally, users should encrypt information related to their Bitcoin and other cryptocurrency wallets when not in use.
ThiefQuest emphasizes the danger of effective malware. While it’s sometimes possible to recover lost data, even if malware is the cause,b there’s no guarantee that this will be the case with ThiefQuest. ThiefQuest may be the newest ransomware on the block, but it’s far from the only risk. We’ve seen a steady increase over the years, both in the frequency of attacks and ransom amount[4]. Security experts expect these trends to continue, which is why cybersecurity is essential at every level in a company, especially when data recovery may not be possible [5].