ThiefQuest info-stealing Mac Wiper Gets Its Decryptor

The ThiefQuest info-stealing Mac wiper, initially known as EvilQuest Ransomware that spreads via pirated apps, now gets the decryptor.

According to the security experts, the ThiefQuest is not a successful attempt of the hackers, reason being its poor coding. However, its behaviors were like of a ransomware threat, that once deployed on the system, runs an encryption algorithm to encrypt files on the Mac system.

However, experts suggest that paying the ransom is not an option to recover the encrypted files, as the ransom note does not have any contact details of the authors.

In such a case, victims may lose their data forever, if they don’t have any other backups.

The ThiefQuest (EvilQuest) Ransomware Note:

According to the EvilQuest ransom note named READ_ME_NOW.txt, the victims need to pay $50 within 72 hours of timeline, if they wish to recover their encrypted files.

Additionally, they provide a static Bitcoin wallet address to pay the ransom. However, other than that, there is no other information about what the victims should do after paying the ransom. Even there is no contact details of the extortionist to inform about the payment being done and henceforth get the decryption key.

The ThiefQuest Behaviour

Recently, the BleepingComputer said in his blogpost that, after analyzing its behavior, the ThiefQuest acts more like an info-stealer. Rather than a ransomware that encrypted files to demand ransom fees from victims. So, its main purpose is to scan the system for important files and steal the data.

To steal the files, the malware searches “ /Users folder” for files of various extensions:

.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, 
.cpp, .cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx,
 .keynote, .js, .sqlite3, .wallet, .dat

These extension contains the files like text, images, Word documents, SSL certificates, code-signing certificates, source code, projects, backups, spreadsheets, presentations, databases, and cryptocurrency wallets.

The malware uses a data exfiltration script to steal the files and send to the remote URL using Command & Control server.

The ThiefQuest Decryptor

Malware researchers of SentinelOne, a cybersecurity firm, analyzed its code in which they found a custom symmetric encryption routine that was based on the RC2 algorithm.

On further analysis, they found about the function that triggers the encryption. And found out that the symmetric (128-byte) key is actually encoded in a much simpler way.

On comparing the files encrypted by the ThiefQuest to its original version, they found that the encrypted file has an extra data block. The block contains the key that encodes the file.

“This means that the clear text key used for encoding the file encryption key ends up being appended to the encoded file encryption key. Taking a look at a completely encrypted file shows that a block of data has been appended to it” – Jason Reaves, SentinelOne

After reversing the encryption process, it calls the decryption function that results in unlocking. files. This happens as the creator of the malware did not remove the decryption function from the code.

From the above findings and analysis, the SentinelOne created a decryption tool for ThiefQuest ransomware.

The decryptor is free to download which comes under the free software license of GNU GPL v2.


However, the security experts have out the ThiefQuest Ransomware decryptor. But still there lies a major privacy concern, as it is an info-stealer.

So, if one system gets the malware, then in any way the data is not safe. The attackers can use the data for illegal purposes and even sell it to the dark web platforms.

Thus, Mac users should ensure the protection of their system and data.

What to do to stay safe:

  • First of all, users should create regular backups of their important data;
  • Do not download torrents, pirated software, and apps from unknown sources;
  • Keep the system password-protected and ensure strong passwords that may not contain any personal details. So, Better to use a password manager tool;
  • Do update the OS, apps and browsers regularly to patch the vulnerabilities;
  • Install a reputable anti-virus program like MalwareBytes, Intego VirusBarrier and ComboCleaner so on.

More From Unboxhow