The Cyber-security firm SentinelOne has released today a free decryptor app that can help victims of the ThiefQuest ransomware recover their locked files. The ThiefQuest ransomware — initially identified under the name of EvilQuest — targets only Mac users.
“The ThiefQuest malware, which was discovered last week, may not actually be ransomware according to new findings. The behaviors that have been documented thus far are still all accurate, but we no longer believe that the ransom is the actual goal of this malware.” Thomas Reed wrote on Malwarebytes blog.
The presence of keylogging and backdoor code, discovered by Patrick Wardle, is unusual in ransomware. Unheard of on the Mac, really, but then we haven’t seen much ransomware on this side of the street. This discovery indicated that there was something strange about this threat.
There are also several clues left right in the ransom note itself:
The first clue is that the price of decryption is $50 USD. That’s a strangely low price, and in USD rather than Bitcoin, and the victim would be expected to calculate the correct amount of Bitcoin at the exchange rate at that moment. This by itself, however, isn’t proof of anything.
There was another finding later noticed by Lawrence Abrams, of Bleeping Computer, who has more experience with ransomware in the Windows world than most of the Mac researchers who were investigating. There was no email address provided in the ransom note, so there’s no way to get in touch with the criminals behind the malware to get your decryption key—and no way for them to contact you either.
Further, when ransom notes obtained from different systems were compared, it was discovered that the Bitcoin address given is the same for everyone. This means that there would be no way for the criminals to verify who paid the ransom.
However, security researchers from SentinelOne announced that after analyzing the ransomware source code and the differences between encrypted files and their original versions, they were able to reverse engineer ThiefQuest’s encryption mechanism.
In a technical blog post published earlier today, researchers said that ThiefQuest uses a simple symmetric-key encryption system based on the RC2 algorithm and that the ransomware stores the encryption/decryption key inside each locked file.
The SentinelOne teams said it was able to create an application (known as a decryptor) that extracts this key and unlocks victims’ files. SentinelOne’s ThiefQuest decryptor is provided in a binary form for now but the company said it plans to open-source the code at a later date.
A decryptor for files that may have gotten encrypted is available on GitHub. It is a command-line tool, so if you’ve had files encrypted, you’ll need to run the decryptor from the Terminal.
Last month, the Cyber-criminals gang behind the Shade Ransomware (Troldesh) has released over 750,000 decryption keys, and apologized for the harm they caused their victims. The Shade Ransomware has been in operation since around 2014. Unlike other ransomware families that specifically avoid encrypting victims in Russia and other CIS countries, Shade targets people in Russia and Ukraine predominantly.
