One of the latest bits of Mac malware to keep top of mind as you go about your downloading day is a destructive strain of ransomware known as “EvilQuest.”
The good news? Right now it’s mainly spreading through pirated Mac software , so if stealing programs isn’t something you do, you don’t have a ton to worry about at the moment. Malwarebytes says the ransomware exists in fake installers for at least two different apps: Little Snitch and Mixed in Key 8. Malwarebytes also found evidence of a fake installer for Ableton Live, and it’s possible others may exist as well.
Unlike the legitimate installation files for Little Snitch and Made in Key 8—which have official logos and come properly packaged—the ransomware-laced fakers use a generic installation package icon and come in an unrelated disc image. Malwarebytes also found a suspicious “patch” file when examining the contents of the installer that houses EvilQuest, and found that the installer did not have the proper code sign certificates (a digital signature that verifies a file comes from a trusted source).
Like other ransomware, EvilQuest encrypts the files on your device (including connected hard drives and external storage locations) and locks you out. The only way to regain access to your files is to pay a “ransom” fee to the hacker, usually through bitcoin transactions or an anonymous money transfer. There’s often a deadline for paying the ransom, after which time your files will be permanently locked or even deleted. EvilQuest gives infected users three days to pay or be permanently locked out.
How to keep your Mac safe from EvilQuest
Ransomware is scary, but it’s avoidable. Piracy is a common vector for deploying malware of all varieties, as pirated programs and media often come in altered formats or unorthodox files that make it easy for unsuspecting users to overlook the rather glaring signs that they’ve downloaded something bogus.
That’s why it’s safest to just avoid piracy altogether. You’ll avoid malware infections and won’t be breaking the law. Plus, by actually buying apps and media, you’re supporting the creators so they can continue working.
However, that’s not to say that malware can’t lurk in normal apps you download from the web. Make sure you stay up on comment sections or forum threads for new apps you hear about—or even run a cursory Twitter search before you install something you stumbled across online—to ensure that nobody is reporting any issues.
Skip anything you can’t get a clear answer on, and thoroughly examine the ones you do download. The easiest solution is to use solid anti-malware and antivirus apps to catch malicious files before you downloaded or instal them. When it comes to EvilQuest, Malwarebytes says it will identify and remove the ransomware before it can infect your Mac, and it’s free to run basic scans with the Malwarebytes app.
You should also have a few system backups just in case something goes wrong and you need to perform a clean install and restore your old files—whether due to malware or other issues like bugs, hardware failures or lost/stolen devices. It’s a wise move to have multiple backups saved in separate locations, including cloud drives, on-device storage and on an external storage device. Just make sure to keep external drives disconnected when not performing backups to prevent them from also being encrypted by ransomware.
What to do if you’re infected
Preventative measures should be enough to keep your computer safe, but if you find yourself infected with the EvilQuest ransomware, don’t panic: As long as you have your files safely backed up, you can (probably) recover without paying. Try removing the ransomware using Malwarebytes or other anti-malware software. If your device is already locked down and your anti-malware apps don’t work, try performing a factory reset and then restoring your old files using a clean backup.