At the end of June 2020, information security specialists discovered the new ThiefQuest ransomware aimed at macOS devices. SentinelOne engineers have now created a free file decryptor for files affected by ThiefQuest.
ThiefQuest is more than just an encryptor: the malware also installs a keylogger and a reverse shell on infected machines for complete control over compromised hosts.
Initially, the threat got the name EvilQuest, but later the malware was renamed into ThiefQuest. This decision was made to avoid possible confusion, since after the publication of the reports it became clear that there was a series of games called EvilQuest.
The ransomware is distributed with pirated software, for example, ThiefQuest was found in the Google Software Update, the pirated version of the popular DJ software Mixed In Key and the macOS Little Snitch security tool”, – wrote IS experts.
At the same time, it was noted that the malware uses the same static bitcoin address for all victims, and the ransom note does not contain an email address or other contacts for communication.
In fact, the attackers cannot somehow identify the victims who paid the ransom, and the victims cannot contact the malware operators to decrypt the data. Because of this, Lawrence Abrams, founder of Bleeping Computer, suggested that ThiefQuest is not an ordinary ransomware, but a wiper, a destructive malware that simply destroys files. Abrams is convinced that the ransomware is just a cover for the true purposes of criminals, namely the search and theft of files of certain types.
Another theory says that while the malware is at an early stage of development, and not all of its functions are working properly so far.
Reference:
ThiefQuest is just the third known ransomware known to security experts for macOS. Before him, in 2016-2017, experts found only two threats of this kind – KeRanger and Patcher.
Due to the features of ThiefQuest, the victims lose access to their data permanently, and information security experts were actively working on hacking the malware, promising to try to create a free file decryption tool.
This week, SentinelOne experts said that analyzing the source of the ransomware, as well as examining the differences between the encrypted files and their original versions, helped to understand the ThiefQuest encryption mechanism.
ThiefQuest uses a simple encryption system with a symmetric key based on the RC2 algorithm and stores the encryption/decryption key inside each locked file,” – said the researchers.
As a result, SentinelOne engineers were able to create a free decryptor that extracts the aforementioned key and unlocks victims’ files. Currently, the decoder is presented in the form of a binary, but the company said it plans to open its code in the future.
Download the free decryptor for ThiefQuest here. A video tutorial on how to use the tool is available here.
It is worth noting that a new Malwarebytes report, also published this week, states that in addition to encrypting files, ThiefQuest infects local files and exhibits virus-like behavior. Therefore, in addition to decrypting files, additional cleaning of the system may be required to prevent re-infection.
