Fraud Management & Cybercrime , Ransomware

Ransomware Targets Mac Users

Malwarebytes Says Malware Hidden in Fake Installer for 'Little Snitch' App
Ransomware Targets Mac Users
Ransomware targeting Mac users is being distributed through a fake installer for Little Snitch - logo shown above. (Illustration: Little Snitch)

A ransomware strain targeting Mac users is spreading via a fake installer for Little Snitch – a host-based application firewall for macOS - according to the security firm Malwarebytes.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

While it can be destructive, this “EvilQuest” ransomware is poorly designed, says Thomas Reed, a director at Malwarebytes. For example, the malware sometimes faces issues with installation, and it cannot always generate a ransom note, he says.

Malwarebytes has not yet determined how many victims have been hit with EvilQuest, Reed says.


The malware is being distributed through a fraudulent installer for Little Snitch that was found on a Russian forum dedicated to sharing Torrent links, says Reed, who received a tip on the malware from Twitter user @beatsballert and then tested the fake installer

"A [forum] post offered a torrent download for Little Snitch, and was followed by a number of comments that the download included malware. In fact, we discovered that not only was it malware, but a new Mac ransomware variant spreading via piracy," Reed says.

So far, only those who download Mac apps via Torrent are at risk, Reed says, but he suspects there are other points of distribution.

The legitimate Little Snitch app, created by Objective Development, alerts a user whenever an app attempts to connect to a server on the internet, allowing the user to decide whether to allow or deny the connection.

Poorly Designed Installer

Reed notes it's easy to spot the fake installer because it lacks the professional appearance found on Objective Development's site.

In addition to installing Little Snitch, the fake installer also installs an executable named "patch." A postinstall shell script is downloaded and executes after installation is complete. Having such a postinstall script is normal for this type of app, but in this case it is used to load the malware, according to the report.

Reed discovered a second installer inside Little Snitch for the DJ software Mixed In Key 8 that also drops the ransomware.

If the installation process goes as planned, the malware is activated and proceeds to encrypt files on the hard drive, Reed says. But in testing the fake installer, Reed discovered a number of malfunctions.

"I left it running on a real machine for some time with no results, then started playing with the system clock. After setting it ahead three days, disconnecting from the network, and restarting the computer a couple times, it finally began encrypting files," Reed notes.

Since the ransomware was just detected, further analysis is needed to answer some basic questions, such as what encryption it uses and whether the key can be easily found in the code, Reed adds.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.