Govt Warns Apple Laptop Users In India About ‘ThiefQuest’; Know The Details

New Delhi: The Indian Computer Emergency Response Team (CERT-In) has issued an advisory alerting Apple MacBook, iMac and other macOS users about a new ransomware called ThiefQuest, which has been spreading since last month.

This new ransomware, also called EvilQuest, locks files on macOS and spies on infected systems. CERT-In has also listed steps for users to protect themselves.

Here are the details about the new MacOS ransomware and how you can stay safe:

a) The ThiefQuest ransomware not only encrypts the files on the system but also installs a keylogger, remote shell and steals cryptocurrency wallet-related files from infected hosts, according to a Gadgetsnow report.

b) This ransomware continues to track victims, even after they have paid ransom, to unlock their system as the attacker continues to have access to the computer and can exfiltrate files and keystrokes. This ransomware is distributed via legitimate applications on Torrent websites such as Little Snitch, Ableton, and Mixed in Key.

c) ThiefQuest runs the Python scripts by downloading them as disguised GIFs. If a file matches the search criteria, it will base 64 encode the file contents and send it to C&C server. These files include text files, images, Word documents, SSL certificates, code-signing certificates, source code, projects, backups, spreadsheets, presentations, databases, and cryptocurrency wallets.

d) The attackers do not provide any email address to contact them for decryption after the ransom has been paid. “This makes it impossible for attackers to identify victims who have paid ransom. This leads to the suspicion that ransomware may be used for spying and other malicious activity,” CERT-In was quoted as saying.

e) Ransomware generally targets common file types. Regular backups of all critical information should be kept on a separate device, and backups should be stored offline. Remote access, when not in use, must be disabled.

f) Execution of Power shell /WSCRIPT in an enterprise environment should be restricted and a Sender Policy Framework (SPF) for your domain should be established. Block binaries running from %APPDATA% and %TEMP% paths by whitelisting applications or implementing Software Restriction Policies (SRP) strictly.

g) Segmenting the network and segregating it into security zones will help protect sensitive information and critical services. Ad blockers should be installed.