EvilQuest is Mac ransomware and spyware. It comes in infected app installers. EvilQuest tries to kill the running antivirus apps, looks for files to steal, and finally, encrypts files, which results in their being corrupted and broken. Because EvilQuest is still new, not everything is yet known about it and not all antivirus apps reliably detect it. Whether EvilQuest’s encryption can be reversed isn’t known yet.
Evilquest Mac Ransowmare quicklinks
- How EvilQuest infects Macs
- File encryption, ransom, and spyware
- How to remove EvilQuest
- Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
In short about EvilQuest:
| Classification | Ransomware,
spyware. |
|---|---|
| How EvilQuest gets installed | Downloaded from unreliable websites,
bundled with freeware installers, disguised as fake software updates. |
| How to recognize EvilQuest | Some files are broken and can’t be opened anymore,
ransom note: “READ_ME_NOW.txt”, a pop-up message starting with “Your files are encrypted”. |
| Removing EvilQuest | Use anti-malware apps like Combo Cleaner, , and others,
restore your Mac from a backup, change passwords and protect your personal information. |
How EvilQuest infects Macs
EvilQuest is new Mac ransomware and spyware. Yes, it’s possible – there are macOS trojans, adware, and now, ransomware.
The researcher who discovered EvilQuest said it was disguised as a Google Software Update. EvilQuest is also installed by unofficial distributions of various legitimate apps. Malicious actors bundle real apps with malware and then redistribute them on torrent sites.
While EvilQuest was new, not many antivirus apps detect it yet. For example, when I started writing, no programs on VirusTotal detected this DMG file. In the following hours, the number of detections kept rising: VirusTotal. This is definitely a problem and shows how important it is to install software updates quickly. With time, antivirus apps will start detecting EvilQuest as their vendors patch the programs and release new updates.
If EvilQuest is allowed to run, it searches for and tries to quit antivirus apps.
It also places files in /Library and ~/Library/LaunchAgents folders. EvilQuest uses the file in LaunchAgents in order to restart itself every time you reboot your Mac.
If you suspect serious malware on your Mac, just shut down the power and do not turn it on. Instead, get a professional to look at your drive. You can use another computer to make a backup of your drive and the files on it. You could use safe mode to start your Mac without malware interference.
File encryption, ransom, and spyware
EvilQuest encrypts user files. Encryption is a method of hiding information by scrambling it into seemingly random noise. Encrypted files are corrupted and unreadable for your programs. For example, an encrypted text file is full of random symbols. An encrypted photograph looks broken (wrong colors, random lines, noise).
Then, EvilQuest shows and plays a message about having encrypted the files on the system:
Your files are encrypted
Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted.
Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees.Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop.
Indeed, as EvilQuest’s ransom note claims, many different file types are in danger of being encrypted/corrupted. Any file can be encrypted. This is an issue. While competent ransomware sticks to user-created files and leaves system files alone, EvilQuest ends up breaking settings.
Before the encryption, though, EvilQuest steals some files. It grabs small (under 800KB) documents, images, text files, crypto wallets, webpages, archives, and other files and sends them over to the criminals. It also may use a keylogger to spy on your actions.
Not only does EvilQuest steal files, it also tries to steal money. EvilQuest creates a ransom note called “READ_ME_NOW.txt”. This one includes an address to send ransom money to. In theory, EvilQuest’s encryption should be reversible – you just need the correct decryption tool and the unique decryption key. And the person behind EvilQuest is offering decryption keys for $50 in Bitcoin. Whether they actually fix the files is unknown – but the answer is likely “no”. There’s not an obvious way for victims to actually contact the attackers, so how would the criminals know which victim has paid the ransom? Also, EvilQuest is still new, so it probably has a bunch of bugs that could have unintended effects.
Oh, and if EvilQuest’s victims try to access their bank accounts and crypto wallets on the infected computer, such as to pay the ransom for their files, malicious actors can spy on them and even rob them. If you suspect a keylogger, disconnect your Mac from the internet.
How to remove EvilQuest
If EvilQuest infected your computer, it would be safest to turn it off and get a professional to look at your computer.
To remove malware yourself, you could also use an anti-malware app like Combo Cleaner, Malwarebytes, and others. Any reputable application. You may need to reboot your Mac in safe mode to stop EvilQuest from running and interfering with its own removal. To boot in safe mode, hold the Shift button on the keyboard from the time that you start your Mac until you see the login screen. The words “Safe boot” should appear on the screen.
To undo some of the harm that EvilQuest has done, restore your Mac to an earlier date.
Scan your Mac again to be sure that all the malware is gone.
If you kept important information in files on your Mac, consider if EvilQuest could have stolen them. You may also want to change your passwords for your online accounts in case EvilQuest spied on them.
If you want to, you can keep the files that EvilQuest encrypted. Just put them on a backup storage drive or upload them to the cloud. EvilQuest is new and still being analyzed (Objective-See). It could be that analysts come up with a way to decrypt the files. Free ransomware decryption is very rare and should not be expected but when it does happen, it happens to new ransomware like EvilQuest.
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,