A free decryptor for victims of the ThiefQuest ransomware

A free decryptor for victims of the ThiefQuest ransomware Cybersecurity

Cybersecurity firm SentinelOne today released a free decryption application that can help victims of ThiefQuest ransomware recover their locked files. ThiefQuest ransomware – originally named EvilQuest – targets Mac users only.

The classification of ThiefQuest as a ransomware strain is not obvious. Indeed, it is a set of malicious code including modules that will record keystrokes, install a reverse shell to access infected hosts through a back door, code to steal monetary data and finally encrypt files (the “ransomware” part itself).

Security researchers have seen this malware appear in the wild for more than a month. They are usually hidden in pirated software, shared by torrents or on online forums.

ThiefQuest has a faulty ransomware component

Based on the previous analyzes [1, 2, 3], the malware is still at the beginning of its development. Therefore, some of its components do not seem to be working properly. Unfortunately for victims, the ransomware side is one of them, and a number of its features have not been refined.

Researchers say if ThiefQuest encrypts files as soon as it infects a macOS system, malware doesn’t have a mechanism to track users who paid the ransom, or even a method to allow victims contact cybercriminals to find out how to make the payment and then unlock their files. This “detail” is clear from reading his ransom note below:

A free decryptor for victims of the ThiefQuest ransomware

Image: Patrick Wardle

Since early June, users who have been infected with ThiefQuest have had their files permanently locked, with no method of recovering their files – even if they paid the ransom.

SentinelOne publishes a free decryptor

However, SentinelOne security researchers announced that after analyzing the ransomware source code and the differences between the encrypted files and their original versions, they were able to reverse ThiefQuest’s encryption engineering mechanism.

In a technical post published yesterday, researchers specify that ThiefQuest uses a simple symmetric key encryption system based on the RC2 algorithm, and that the ransomware stores the encryption / decryption key inside each locked file. SentinelOne teams have announced that they have been able to create an application (called a decryptor) which extracts this key and unlocks the files of the victims.

SentinelOne’s ThiefQuest decryptor is currently only available in binary form, but the company plans to release the code in open source at a later date. It can be downloaded directly from this link or via the download link at the bottom of the SentinelOne technical report. A demonstration video on the use of the decryptor is available here.

However, a new Malwarebytes report released today says that in addition to encrypting files, ThiefQuest would infect other local files, in behavior similar to that of a virus. Additional cleaning may therefore be necessary to avoid getting infected again, or infecting other Macs.

Source: ZDNet.com

Source: www.zdnet.fr

Rate article