Logo

American Security Council Foundation

Back to main site

Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

Researchers Discover New macOS Ransomware Downloaded From Pirated Torrent Sites

Wednesday, July 15, 2020

Categories: ASCF News Emerging Threats Cyber Security

Comments: 0

Computer security researchers uncovered a ransomware strain that exclusively targets computers running the macOS operating system. Known as OSX.ThiefQuest, the new Mac ransomware variant differs from other ransomware threats on its operations.  Apart from encrypting files, the macOS ransomware installs a keylogger and a reverse shell on the infected devices. ThiefQuest also steals cryptocurrency wallet-related user files from the infected hosts. Researchers also found that the ransomware operators do not track payments and are unlikely to provide the decryption keys even if their customers paid the ransom.

Indicators of compromise of ThiefQuest macOS ransomware

Patrick Wardle, Principal Security Researcher at Jamf said ThiefQuest macOS ransomware maintains control over the infected host even after payment of the ransom. ThiefQuest threat operators continue to collect keystrokes and execute custom commands from its command-and-control server, which was located at andrewka6.pythonanywhere.com.

The ransomware disguises itself under various names such as “com.apple.questd” and “CrashReporter.” It can also detect whether it was running on a virtual machine and if any antivirus was running on the system to avoid detection.

Wardle said the macOS ransomware starts encrypting files immediately it is executed. Once encryption completes, the ransomware displays a popup informing the user of the infection and encryption of their files. The message then directs the user to open a ransom note stored on the desktop.

ThiefQuest also updates the Google Chrome update files allowing the ransomware to run whenever the files are executed. However, Reed said that activity was still under investigation because Google Chrome overwrites those files once it discovered an external application had modified them.

The ransomware completes the process by installing a keylogger and a reverse shell to record the user’s keystrokes and execute custom commands. The macOS ransomware also steals files related to cryptocurrency wallet applications.

The security experts believe the macOS ransomware was initially designed as spyware and that the encryption module was later added.

Removing ThiefQuest ransomware infection

The researchers found that the ransomware operators did not have contact information or a method of tracking payments, thus unable to know which user paid the ransom. Consequently, the researchers believe the demand for a ransom was a smokescreen to dupe desperate users into sending money without the hope of ever receiving the decryption keys. The researchers advised any affected user to consider their files lost and avoid paying the ransom.

Working together with the director of Mac & Mobile at Malwarebytes, Thomas Reed, and macOS security researcher at SentinelOne, Phil Stokes, the researchers are working to create a decryptor that would save Mac users from paying the ransom.

Wardle created a macOS ransomware protection tool name RansomWhere that can detect ThiefQuest ransomware. Malwarebytes for Mac also can protect mac devices from this ransomware variant, according to Reed.

Because most people consider Macs to be immune to malware compared to windows, Apple computers have become a lucrative target for cybercriminals who exploit macOS users’ false sense of security. Consequently, there are many ransomware variants targeting macOS users such as Gopher, Petya, KeRanger, Patcher, and Mabouia.

James McQuiggan, security awareness advocate at KnowBe4 commented that it was not surprising that threat actors were exclusively targeting Mac devices.

“It was only a matter of time before ransomware targeting Mac OS X became available in the wild, and it’s not a simple ransomware attack. Not only will the attack make your data unavailable, but it also contains other malware to steal credentials and other remote access functionality. For years, the Mac OS has provided a secure and private system for its end users. Cybercriminals are taking advantage of access to the system to enable the keyloggers to capture user credentials and passwords, which may not be evident via other attack methods.”

McQuiggan says the only guaranteed method of removing the ransomware was to format the infected devices. he says that recovering the files or paying the ransom could give users a false sense of relief only for the infection to reoccur.

“Cyber criminals may leave additional files undetectable by anti-malware systems and could result in further unauthorized access or data theft.”

He advises individual computer users and organizations to keep updated on the latest malware and social engineering threats.

Mode of distribution of ThiefQuest

Dinesh Devadoss, a researcher at K7 Lab security said the macOS ransomware had been in circulation from early June this year. Reed said ThiefQuest was spreading through pirated macOS software shared on various torrent streaming sites and online forums. Some of the apps used to spread the macOS ransomware include the DJ mixing software Mixed In Key, Ableton, and the Mac security tool Little Snitch. The researchers said that apart from the listed apps, more infected apps existed in the wild. To avoid infection, users should avoid downloading pirated files and any files from suspicious sources and torrent websites.

Photo and Link: https://www.cpomagazine.com/cyber-security/researchers-discover-new-macos-ransomware-downloaded-from-pirated-torrent-sites/

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.