MacBook users warned against EvilQuest ransomware
The malware aims to encrypt macOS devices, which are typically less affected by ransomware


Security researchers have warned they’ve spotted a new ransomware variant that targets macOS devices in the wild.
According to Varonis’s February 2021 Malware Trends Report, EvilQuest, also known as ThiefQuest and Mac.Ransom.K, is ransomware that aims to encrypt macOS devices, which are typically less affected by this type of threat.
Ben Zion Lavi, a researcher at Varonis, said another unusual detail about EvilQuest that stands out compared to other ransomware variants is it uses symmetric encryption all the way, as opposed to using an asymmetric key in at least one stage of the encryption.
“This means that the key that was used to encrypt the file can be used to decrypt it, thus making the challenge of decrypting the files a lot easier,” Lavi said.
According to researchers, the ransomware includes data exfiltration functionality that uses three external Python scripts to send out HTTP post requests. It also includes additional functionality that many ransomware variants don’t normally have.
“For example, it looks for SSH keys that might allow the attacker to interactively logon into a victim’s device. It also looks for trusted certificates, which can allow the attacker to access sites without causing security warnings,” said Lavi.
Researchers also found evidence of key-logging functionality in parts of the code. These code segments call API functions aimed at finding low-level hardware events.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“We can find evidence that the ransomware is still being developed and is not yet in its final form. The decryption functionality, for example, is not completely implemented. Because the decryption routine is not called anywhere inside the code, victims will surely not be able to decrypt their files, even if they pay the ransom,” said Lavi.
Researchers also warned that an Iranian hacking group named “Foudre” had recently resurfaced. The group dates back to as early as 2007 and exfiltrated data from organizations and VIPs.
“The APT, which was mostly but not exclusively used against targets in Europe and North America, consists of several stages. The first stage includes the victim opening a crafted document that contains macro code, which self-extracts archives with “Foudre” components,” said Lavi.
Lavi added that the malware the hackers used leverages domain generating algorithms (DGA), a technique that generates and tries to communicate with many domain names, but only one of them is the real C2 server domain name. This allows the attacker to hide their identity and maintain the C2 server’s clean reputation longer.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
A threat to Google’s dominance? The AI browser wars have begun – here are the top contenders vying for the crown
News Perplexity has unveiled its Comet browser while OpenAI is reportedly planning to follow suit
-
Google Cloud Summit London 2025: Practical AI deployment
ITPro Podcast As startups take hold of technologies such as AI agents, where is the sector headed?
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector