mac Ransomware

A new ransomware strain that has been detected by one of the experts Thomas reed, named “EvilQuest,” but now the name has been changed to “OSX.ThiefQuest.” While he was reviewing all the data, he noticed that OSX.ThiefQuest ransomware is attacking macOS users only to Encrypts their files, but Thomas immediately reported this to Malwarebytes.

According to the Malwarebytes report, there appears to be a distinct “OSX.ThiefQuest” ransomware that is only focusing on the Mac computers that are being circulated by pirated Mac apps.


This ransomware was detected when some macOS users try to download the “Little Snitch” app from a Russian panel, where the download held the app itself.

But, still, they need to install an additional executable file. OSX.ThiefQuest is quite active upon installation; well, during the installation process, the file is transferred to a new location. Then it is renamed “CrashReporter” to keep the file hidden in macOS’ Activity Monitor.

This ransomware is similar to most of the other ransomware, as it will continue to encrypt all the files available on the Mac computers. Once the encryption is done, now the user requires to pay $50 to decrypt their files so that they can get their files back that have all the crucial information.

Infection – Mac Ransomware

Well, the infection starts spreading, once the users complete the installation. This ransomware starts spread quite generously in the user’s hard drive, but, both alternatives install the copies of the application that resides at the following locations:-

  • /Library/AppQuest/
  • /Users/user/Library/AppQuest/
  • /private/var/root/Library/AppQuest/

Rather than this, the malware encrypts a lot of sensitive files of users, once it infects. Later, they begin to change the location for their betterment of the operation so that they can be safe and can easily carry out their activity without being caught.


Users have to install this malware through the Mixed In Key installer as it was reserved so that it will be easy for the hacker to get access into the hard drive of the user, and able to encrypt the file accordingly. 

While the security experts asserted that they left the machine for some time with no results, that’s why they disconnected the network after three days and tried to reconnect the computer, and then they found that Mac started to encrypt the files.

The malware doesn’t know what file is being encrypted, but they identify the data with the encrypted number. The security experts claimed that this resulted in an error message when logging in post-encryption.


Now, if we talk about its abilities, then this malware combines some anti-analysis methods that are exposed in the functions and are named as “is_debugging” and “is_virtual_mchn.” So, the “is_virtual_mchn” function does not resemble to see if the malware is operating in a virtual machine (VM). 

It tries to grab a VM in the method of adjusting the time. Whereas the “is_debugging” function is quite familiar with malware, as possessing a debugger joined to the process, or it can be run inside a virtual machine.

The ransomware attacks are overthrowing nowadays, and the users should always hold a back up to deal with this type of situation. The security experts affirmed that the most dependable way of evading the outcomes of ransomware is to keep a good set of backups always.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.