This Mac ransomware is old but it could still cause you big problems

Ransomware is a major cybersecurity issue - and it doesn't matter which operating system you use.
Written by Danny Palmer, Senior Writer
Image: Getty/GaudiLab

Ransomware attacks aren't just a threat to Windows operating systems -- they're encrypting files on macOS devices and demanding ransom payments for a decryption tool, too. 

Cybersecurity researchers at Microsoft Security Threat Intelligence have detailed several ransomware campaigns targeting Apple-based computers and networks -- and the methods of attack are very familiar to those used by cyber criminals targeting Microsoft Windows and other operating systems. 

In many instances, the initial compromise occurs after the user is tricked into providing access to cyber criminals, such as by opening phishing emails or downloading and then running fake or trojanized applications that install ransomware. 

The ransomware can also arrive as a second-stage payload dropped by other malware that has been previously installed on the machine, either by the same cyber criminals or access brokers leasing out access to compromised systems, or uploaded as part of a software supply chain attack, where attackers have managed to compromise a software update. 

Also: Ransomware: Why it's still a big threat, and where the gangs are going next

While most ransomware campaigns target Windows systems, and are likely drawn in by the sheer number of organizations that base their infrastructure on Microsoft Windows, Macs aren't immune. Ransonmware on Macs isn't a new phenomenon. But researchers warn the evolution of the attacks on MacOS demonstrate how ransomware isn't just a threat to one particular operating system. 

"Ransomware continues to be one of the most prevalent and impactful threats affecting organizations, with attackers constantly evolving their techniques and expanding their tradecraft to cast a wider net of potential targets," Microsoft said in a blog post. 

"While these malware families are old, they exemplify the range of capabilities and malicious behaviour possible on the platform," they added. 

Like other forms of ransomware on other operating systems, ransomware targeting MacOS comes equipped with features designed to achieve persistence and avoid detection until it's too late.  

These features include delaying execution of the malware to avoid detection in the earliest stages of the attack, instructions to run each time the machine is started, and using legitimate features in MacOS to run commands and help spread the attack. 

But one particular form of Mac ransomware looks as if it has much more in mind than the sole focus on encrypting files and demanding an extortion payment -- analysis shows that it has much more powerful capabilities, too. 

The ransomware is known as EvilQuest, which first emerged in 2020 and is still targeting Mac systems today. 

According to Microsoft, newer versions of EvilQuest come with additional capabilities, including keylogging, which sends a record of what the infected victim types with their keyboard to attackers, something that can be exploited to secretly steal usernames and passwords. 

EvilQuest is also capable of disabling security software, a tactic used to reduce the chances of the ransomware being spotted before the final attack is triggered. 

Other forms of Mac ransomware detailed by Microsoft include KeRanger, FileCoder, and MacRansom -- and they all use techniques designed to make manual discovery by users or cybersecurity teams difficult.  

Microsoft says it has detailed extensive information on the Mac ransomware to aid defence against attacks. 

Also: Google warns: Android 'patch gap' is leaving these smartphones vulnerable to attack

"Ransomware continues to be one of the most significant threats affecting any platform. Our analysis of ransomware on Mac operating systems shows how its creators use various techniques to remain hidden from automated analysis systems or make manual inspection by analysts challenging," said the write-up. 

"Understanding ransomware routines and their effects on any device or platform is essential for individual users to take steps towards device and data protection."

Some of the advice over how to avoid falling victim to ransomware includes only installing applications from trusted sources, such as a software platform's official app store, and restricting access to privileged resources if users don't need them, as that approach will help prevent the spread of ransomware. 

It's also recommended that operating systems are kept up to date with the latest security patches to ensure they're protected against cyberattacks that exploit known vulnerabilities. 

And no matter which operating system is being used, organizations should help employees understand how to maintain good cybersecurity hygiene. 


Editorial standards