Security researchers have warned they’ve spotted a new ransomware variant that targets macOS devices in the wild.
According to Varonis’s February 2021 Malware Trends Report, EvilQuest, also known as ThiefQuest and Mac.Ransom.K, is ransomware that aims to encrypt macOS devices, which are typically less affected by this type of threat.
Ben Zion Lavi, a researcher at Varonis, said another unusual detail about EvilQuest that stands out compared to other ransomware variants is it uses symmetric encryption all the way, as opposed to using an asymmetric key in at least one stage of the encryption.
“This means that the key that was used to encrypt the file can be used to decrypt it, thus making the challenge of decrypting the files a lot easier,” Lavi said.
According to researchers, the ransomware includes data exfiltration functionality that uses three external Python scripts to send out HTTP post requests. It also includes additional functionality that many ransomware variants don’t normally have.
“For example, it looks for SSH keys that might allow the attacker to interactively logon into a victim’s device. It also looks for trusted certificates, which can allow the attacker to access sites without causing security warnings,” said Lavi.
Researchers also found evidence of key-logging functionality in parts of the code. These code segments call API functions aimed at finding low-level hardware events.
“We can find evidence that the ransomware is still being developed and is not yet in its final form. The decryption functionality, for example, is not completely implemented. Because the decryption routine is not called anywhere inside the code, victims will surely not be able to decrypt their files, even if they pay the ransom,” said Lavi.
Researchers also warned that an Iranian hacking group named “Foudre” had recently resurfaced. The group dates back to as early as 2007 and exfiltrated data from organizations and VIPs.
“The APT, which was mostly but not exclusively used against targets in Europe and North America, consists of several stages. The first stage includes the victim opening a crafted document that contains macro code, which self-extracts archives with “Foudre” components,” said Lavi.
Lavi added that the malware the hackers used leverages domain generating algorithms (DGA), a technique that generates and tries to communicate with many domain names, but only one of them is the real C2 server domain name. This allows the attacker to hide their identity and maintain the C2 server’s clean reputation longer.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
