Mac ransomware found hiding in pirated Mac apps

A new ‘EvilQuest’ Mac ransomware variant is spreading through pirated Mac apps, according to a new report from Malwarebytes Labs. The new ransomware was hiding inside pirated downloads of the “Little Snitch” app found on a Russian forum.

Mac ransomware found hiding in pirated Mac apps. Image: Malicious Little Snitch installer
Malicious Little Snitch installer

Juli Clover for MacRumors:

Right from the point of download, it was clear that something was wrong with the illicit version of Little Snitch, as it had a generic installer package. It installed the actual version of Little Snitch, but it also installed an executable file named “Patch” into the /Users/Shared directory and a post-install script for infecting a machine.

The installation script moves the Patch file into a new location and renames it CrashReporter, a legitimate macOS process, keeping it hidden in Activity Monitor. From there, the Patch file installs itself in several spots on the Mac.

The ransomware encrypts settings and data files on the Mac, like Keychain files, resulting in an error when attempting to access the iCloud Keychain. The Finder also malfunctioned after installation, and there were problems with the dock and other apps.

Thomas Reed for Malwarebytes Labs:

In practice, this didn’t work very well. The malware got installed, but the attempt to run the Little Snitch installer got hung up indefinitely, until I eventually forced it to quit. Further, the malware didn’t actually start encrypting anything, despite the fact that I let it run for a while with some decoy documents in position as willing victims.

There were other very obvious indications of error, such as the Dock resetting to its default appearance.

The Finder also began showing signs of trouble, with spinning beachballs frequently appearing when selecting an encrypted file. Other apps would also freeze periodically, but the Finder freezes could only be managed by force quitting the Finder.

Although others have reported that a file is created with instructions on paying the ransom, as well as an alert shown, and even text-to-speech used to inform the user they have been infected with ransomware, I was unable to duplicate any of these, despite waiting quite a while for the ransomware to finish.

MacDailyNews Take: In the case of software, it’s not better to be a pirate. Join the Navy. Don’t steal software – or stolen software might start trying to steal from you.

Remember: Backup, backup, backup! As long as you have good backups, ransomware is no threat.


  1. “Remember: Backup, backup, backup! As long as you have good backups, ransomware is no threat.”

    …except if ransomware has a delayed activation such that it gets saved into your backups or in some cases ransomware has been designed to directly affect or infect backups (not sure if there are any examples for the Mac but that is one known strategy in the wild). So backing up is not complete protection and therefore not foolproof.

    And for those scenarios, I am not sure what is.

  2. Why would you load a pirated version of a firewall? You’re just asking for trouble. Another stupid act is to do the same with an operating system. That’s just plain dumb as well.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.