Thiefquest Mac Ransomware And Decryption

Thiefquest is the name of a strain of ransomware that made the rounds back in 2020. The malware was initially thought to be ransomware, as it would display a warning message and drop a ransom note. However, closer analysis revealed that the malware is not exactly a ransomware but rather a wiper.

Even though Thiefquest would display a warning message on both Windows and Mac systems, and drop a ransom note called READ_ME_NOW.txt on the desktop, and there would be a bitcoin wallet string in the ransom note, security researchers revealed that this money was more like a donation to the bad actors operating the malware.

Analysis showed that Thiefquest had no proper infrastructure and solid identifiers, which it could use to ever identify which victim made the payment.

Researchers believe that the ransom note acts more like a smokescreen, to mask the real purpose of the malware - data exfiltration and theft.

For MacOS systems, the Thiefquest is distributed in fake malware-laden app installers, pretending to be popular apps such as Ableton Live and Mixed In Key - curiously both applications geared towards people working in music production.

Once deployed on the victim's computer, Thiefquest would start encrypting files and finally display a pop-up window with its message and the name of its ransom note, as well as the demand for payment of $50 dollars.

In the current malware landscape, where threat actors target multi-million-dollar corporations and entities, ransom demands of $50 seem laughable, but ransomware such as Thiefquest is not a targeted attack tool. While most modern ransomware operators carefully research their targets and execute precision attacks, ransomware such as Thiefquest is distributed through malicious spam campaigns or malicious downloads hosted online.

Additional research showed that Thiefquest's code doesn't contain any calls to its decryption routine, so there is virtually no way to restore encrypted files by sending money to the ransomware operators.

A curious feature of Thiefquest is that it will actually seek out executable files and append malicious code to them, giving it a virus-like behavior and making it one of the very few virus-like malware strains that affect MacOS systems.

For Mac users, there is a free decryption tool for Thiefquest published online. The tool was developed by cybersecurity company SentinelOne and was based on finding a decryption function inside the malware's code. You can download the tool for free online and the use it to decrypt a system that has been affected by the Thiefquest malware.