ThiefQuest or EvilQuest recently made it to the news following its discovery. The ransomware specifically aimed at Mac devices. Thankfully, following the continuous analyses by the cybersecurity community, we now have a decryptor for ThiefQuest ransomware which is publicly available.
Decryptor For ThiefQuest Ransomware
Researchers from SentinelLabs have recently shared their analysis about the EvilQuest Mac ransomware.
Specifically, they have shared in their report about how they could find weaknesses in the malware. They noticed that the ransomware used the RC2 algorithm for encrypting data, whilst placing both encryption and decryption keys inside every locked file.
Hence, reverse engineering the file encryption allowed them to develop a decryptor for the ransomware as well.
Fortunately, they have published this decryptor for ThiefQuest ransomware under the MIT software license for the public.
Users can download the decryptor from this link when needed.
ThiefQuest Updates – More Findings
As the cybersecurity continues analyzing the malware, we now have more information available about it.
Recently, researchers from Malwarebytes Labs have shared another report regarding ThiefQuest. In it, they have explained how they believe that ThiefQuest may not be a ransomware in effect.
Earlier, Patrick Wardle explained that he found the ransomware to possess keylogger and backdoor codes. Certainly, these functionalities are not common for ransomware.
Moreover, analysis of the ransom note by Lawrence Abrams of Bleeping Computer elaborated more peculiar details.
At first, the ransomware demanded a very low amount as ransom – just $50. Secondly, it had no specific email address for the victims to contact the attackers. Thirdly, the attackers used the same bitcoin address in every ransom note, hence blurring the distinction of victims who paid the ransom.
On top of all that, as analyzed by Wardle, the ransomware code only had a redundant function for decryption. Not to forget that the malware doesn’t work efficiently in encryption the files.
These findings hint the ransomware to be more of a data stealer. Whereas, the ransom note it put after the infection seems an attempt to distract the victim.
So, besides using the decryptor, what’s recommended for ThiefQuest victims is to recall whatever sensitive data they had stored on their Mac devices, and see how they can change the details. For instance, if the affected data includes any passwords – change them; if it includes credit card details – cancel the cards.
Lastly, clean up the device and deploy security measures to remove the malware and prevent any re-infection.