The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

Poor coding of the ThiefQuest ransomware in disguise that targets macOS users allows the recovery of encrypted files, which would remain lost in lack of a backup.

While the malware (initially named EvilQuest) deploys the encryption routine immediately after infecting a system, paying a ransom is not an option because it offers no way to contact the attackers.

The ransom note informs victims that they have 72 hours to pay $50 if they want to unlock the encrypted files and provides a Bitcoin wallet (static) to transfer the funds. However, there is no email address to contact the attacker for instructions about decryption.

ThiefQuest encryption message
ThiefQuest encryption message
ThiefQuest ransom note
ThiefQuest ransom note

After analyzing how ThiefQuest works, BleepingComputer believes that its true purpose is to search and steal files from infected systems. Below is the data exfiltration script:

The malware looks in the /Users folder to steal files with the following extensions:

.pdf, .doc, .jpg, .txt, .pages, .pem, .cer, .crt, .php, .py, .h, .m, .hpp, .cpp, 
.cs, .pl, .p, .p3, .html, .webarchive, .zip, .xsl, .xslx, .docx, .ppt, .pptx, 
.keynote, .js, .sqlite3, .wallet, .dat

Unlocking the files

Malware analysts at cybersecurity company SentinelOne noticed that ThiefQuest uses a custom symmetric encryption routine based on the RC2 algorithm.

Looking deeper inside the code, the researchers found the function in charge of the encryption and learned that the symmetric key (128-byte) is encoded in a simple way.

Comparing an encrypted file to its original, the researchers discovered that the former comes with an extra data block which, contains the encryption/decryption key and the key that encodes it.

“This means that the clear text key used for encoding the file encryption key ends up being appended to the encoded file encryption key. Taking a look at a completely encrypted file shows that a block of data has been appended to it” – Jason Reaves, SentinelOne

Reverting the encryption process did not imply too much effort since the attacker failed to remove the function responsible for the decryption job. As a result, calling this function ends up unlocking the data.

These findings allowed SentinelOne to develop a decryption tool for files locked by ThiefQuest “ransomware.” The company is offering the decryptor for free, under the GNU GPL v2 free software license.

Once ThiefQuest begins its routine, there is no way to ensure the privacy of the data on the computer but at least affected users can decrypt their files.

Source: Bleeping Computer

Looking for a new IT Managed Service Supplier?  The Cloud Consultancy are the MSP of Choice.