We have all been tempted at times to install a pirated copy of software to avoid paying for it. But you have to think twice, and avoid temptation when it appears. First by the awareness each. Behind every application there are hundreds or thousands of hours of development and programming, and it is very unfair not to pay for it. Either directly, or by advertising inserted in the app.
And the second for fullfilment of security requirements. It is the simplest and oldest method to disguise and spread a virus. Embedded within the application's installer, you don't know it, you give all the necessary permissions thinking that the software you are installing asks for them, and from there you go. A new ransomware runs by the installers of pirated software. To the parrot.
Mac users are now exposed to a new ransomware called 'Evil Quest»Which encrypts some user files and causes multiple problems to the operating system. Malwarebytes has found such ransomware, which is distributed via pirated apps for macOS.
Malicious code was first found in a pirated copy of the Little Snitch app available on a Russian forum with torrent links. The downloaded application comes with a PKG installation file, unlike its original version.
When examining this PKG file, Malwarebytes discovered that the application comes with a "postinstall script", which is normally used to clean up the installation after the process is complete. In this case, however, the script implements malware on macOS.
The script file is copied to a folder related to the Little Snitch application named Crash Reporter, so the user will not notice that it is running in Activity Monitor as macOS has an internal app with a similar name. The set location is: / Library / LittleSnitchd / CrashReporter.
Malwarebytes notes that it will be some time before the ransomware start acting after it is installed, so the user will not associate it with the last installed application. Once the malicious code is activated, it modifies the system and user files with unknown encryption.
Ransomware asks you for $ 50 to unlock your Mac
"EvilQuest" asks you for $ 50 to decrypt your files.
Part of the encryption causes the Finder to malfunction and the system constantly hangs. Even the system keychain gets corrupted, making it impossible to access the passwords and certificates saved on the Mac. A message on the screen says that the user must pay 50 dollars to get your files back, otherwise everything will be deleted after three days. The truth is that it scares.
There is still no way to get rid of malware after you have encrypted files without forma tear entire disk, so users should keep up-to-date backup of everything.
The best way to avoid the consequences of ransomware is to keep a good set of backup. Keep at least two backups of all important data, and at least one should not be kept connected to your Mac at all times. (Ransomware may try to encrypt or corrupt backups on connected drives.)
Although ransomware is only bundled with hacked apps for now, Apple needs to fix this security breach as soon as possible as this malicious code can be included in more "legal" applications distributed outside of the App Store.
