How to uninstall EvilQuest ransomware from a computer?

Also Known As: EvilQuest virus
Type: Mac Virus
Distribution: Low
Damage level: Severe

How to remove EvilQuest from Mac?

What is EvilQuest ransomware?

The person who discovered EvilQuest (also known as ThiefQuest) is Dinesh_Devadoss. Like many other malicious programs of this type, EvilQuest encrypts victim's files and creates a ransom note. In most cases malware of this type modifies the names of encrypted files by appending a certain extension, although, this ransomware leaves them unchanged. It drops the "READ_ME_NOW.txt" in every folder that contains encrypted data and displays another ransom note in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on a computer, operate as a keylogger and receive some commands from Command & Control server.

EvilQuest ransom note (pop-up window)

As explained ransom EvilQuest's notes, this ransomware ensures that victims could not access documents, photos, videos, images and other files by encrypting them AES-256 algorithm. To be able to access their files again victims supposed to use decryption service which costs $50, a payment has to be made by transferring the equivalent amount of Bitcoin to the provided BTC wallet address. It is stated that victims have 72 hours to make a payment, after that it will be no longer possible to decrypt encrypted files. Files should be decrypted within 2 hours after a payment. To summarize, victims are informed that it is impossible to decrypt files without having to pay a ransom. Unfortunately, it is true: most ransomware-type programs encrypt files with strong encryption algorithms and cyber criminals behind them are the only ones who have the tools that can decrypt victim's files. Although, it is strongly recommended not to trust neither these or any other cyber criminals behind ransomware attack - most of the times victims who pay a ransom not receive anything in return. In other words, they get scammed. In such cases the only and free way to recover files is to restore them from a backup. Also, it is possible to prevent installed ransomware from causing further encryptions (encrypting unencrypted files) by uninstalling it. However, encrypted files remain inaccessible even after its uninstallation. As mentioned in the introduction, EvilQuest can detect some files, such as .wallet.pdf, wallet.png, *.p12 and key.png. Also, it is can receive commands from Command & Control server and execute them, log keystrokes and execute modules directly from memory. Keylogging feature allows cyber criminals to record pressed keys, which means EvilQuest may be used to steal typed sensitive information like credit card details, usernames, passwords and so on. Such information may be misused to steal identities, accounts, make fraudulent transactions, purchases, and for other malicious purposes. This malware is also capable of checking if it is running in a virtual machine and checking if there are any security tools (e.g., Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, Bullguard) installed on the operating system.

Threat Summary:
Name EvilQuest virus
Threat Type Ransomware, Crypto Virus, Files locker
Ransom Demanding Message READ_ME_NOW.txt, pop-up window
Ransom Amount $50 in Bitcoins
BTC Wallet Address 13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7
Detection Names Ad-Aware (Trojan.GenericKD.34092962), BitDefender (Trojan.GenericKD.34092962), ESET-NOD32 (OSX/Filecoder.I), Microsoft (Ransom:MacOS/Filecoder.YA!MTB), Full List Of Detections (VirusTotal)
Symptoms Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files.
Additional Information There is no way to contact cyber criminals behind this ransomware
Distribution methods Infected email attachments (macros), torrent websites, malicious ads.
Damage All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.
Malware Removal (Mac)

To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner for Mac
To use full-featured product, you have to purchase a license for Combo Cleaner. Limited three days free trial available.

It is worthwhile to mention that in most cases ransomware targets Windows operating systems, here are some examples of other malware of this type: Lxhlp, Zida and .HOW. Typically, it encrypts files and displays and/or creates some ransom note and the only main differences are price of a decryption (size of a ransom) and encryption algorithm (symmetric or asymmetric) that ransomware uses to make files inaccessible. Victims can restore files for free/without having to contact and pay cyber criminals only when ransomware has some vulnerabilities (bugs, flaws). Unfortunately, it does not happen often and the only way to recover files after ransomware attack is to restore them from a backup. Therefore, it is recommended to always have a data backup and keep it stored on a remote server (like Cloud) or unplugged storage device.

How did ransomware install on my computer?

Research shows that this particular ransomware is distributed through pirated versions of popular macOS software, one of the examples is the pirated version of the Mix In Key software. Also, EvilQuest is distributed through a malicious, unofficial Little Snitch installer. Typically, pirated software is available for download on various torrent websites and other unreliable download pages. Other popular ways that cyber criminals use to proliferate ransomware (and other malware) are spam campaigns, Trojans, fake software updaters, other questionable software download sources/channels or software 'cracking' tools for that. In the first case they send emails that contain malicious attachments or web links designed to download malicious files. Their main goal is to deceive recipients into opening a malicious attachment/file that would cause installation of a malicious software. Some examples of files that cyber criminals attach to their emails are malicious Microsoft Office, PDF documents, archive files (like RAR, ZIP), executable files (like .exe), and JavaScript files. Trojans are malicious programs that can cause damage by simply installing some other malware - after installation they cause chain infections. Fake (unofficial) software updaters cause by installing malicious programs instead of the updates fixes, or by exploiting bugs, flaws of outdated software that is installed on user's computer. Examples of unreliable file, software download channels are Peer-to-Peer networks (like eMule) free file hosting websites, freeware download pages, third party downloaders, and other sources of this type. As a rule, malicious files are disguised as regular, harmless. When users download and execute them, they infect computers with some malware. Software 'cracking' tools are programs that supposed to help their users to bypass activation of some licensed software (activate it for free). However, more often than not such tools do not activate any software. Instead of doing that they simply install some malicious software, e.g., ransomware.

How to avoid installation of malware?

It is strongly recommended not to trust irrelevant emails that are received from unknown, suspicious addresses. If they contain attachments (or web links), then they should not be opened. It is worthwhile to mention that emails sent by cyber criminals often are disguised as important, official, legitimate. Furthermore, it is important to update and/or activate installed software only with implemented functions or tools from official software developers. Most of the times users who use unofficial activators or updaters infect their computers with some malware. Another problem with unofficial activators ('cracking' tools) is that it is not legal to use them to activate any licensed software. Another way to avoid installation of malicious software is to download files, programs only from official websites. Third party downloaders (and installers), unofficial pages, Peer-to-Peer networks should not be trusted. And finally, any computer should be regularly scanned with a reputable anti-spyware or antivirus suite, such software should be always up to date. If your computer is already infected with PUAs, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.

Text in a pop-up window:

Your files are encrypted

 

Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted.

 

Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees.

 

Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file:  READ_ME_NOW.txt  located on your Desktop

Screenshot of "READ_ME_NOW.txt" ransom note:

EvilQuest ransom note (READ_ME_NOW.txt)

Text in this note:

YOUR IMPORTANT FILES ARE ENCRYPTED

 

Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service.

 

We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement).
Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included.
In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever.
Payment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is:

                    13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7

 

Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored.

 

THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE

Screenshot of files encrypted by EvilQuest:

Files encrypted by EvilQuest ransomware

Malicious installer designed to install EvilQuest:

evilquest ransomware installer

List of files related to this installer:

  • ~/Library/mixednkey/toolroomd
  • ~/Library/AppQuest/com.apple.questd
  • ~/Library/LaunchAgents/com.apple.questd.plist

Bear in mind that downloading software from questionable Torrent sites (such as ThePirateBay) is very likely to lead to various system infections:

EvilQuest ransomware distributed via Torrent sites

Update July 8, 2020 - Cybersecurity company SentinelOne has recently released a decryption tool designed to restore data encrypted by EvilQuest (ThiefQuest) ransomware, which means that victims can easily restore their data without paying. You can download the tool and find its manual in SentinelOne's GitHub page.

Instant automatic Mac malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited three days free trial available.

Quick menu:

Video showing how to remove adware and browser hijackers from a Mac computer:

Potentially unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

mac browser hijacker removal from applications folder

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Remove evilquest virus related files and folders:

Finder go to folder command

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...

step1Check for adware-generated files in the /Library/LaunchAgents folder:

removing adware from launch agents folder step 1

In the Go to Folder... bar, type: /Library/LaunchAgents

removing adware from launch agents folder step 2
In the “LaunchAgents” folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - “installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”, etc. Adware commonly installs several files with the same string.

step2Check for adware generated files in the /Library/Application Support folder:

removing adware from application support folder step 1

In the Go to Folder... bar, type: /Library/Application Support

removing adware from application support folder step 2
In the “Application Support” folder, look for any recently-added suspicious folders. For example, “MplayerX” or “NicePlayer”, and move these folders to the Trash.

step3Check for adware-generated files in the ~/Library/LaunchAgents folder:

removing adware from ~launch agents folder step 1


In the Go to Folder bar, type: ~/Library/LaunchAgents

removing adware from ~launch agents folder step 2

In the “LaunchAgents” folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - “installmac.AppRemoval.plist”, “myppes.download.plist”, “mykotlerino.ltvbit.plist”, “kuklorest.update.plist”, etc. Adware commonly installs several files with the same string.

step4Check for adware-generated files in the /Library/LaunchDaemons folder:

removing adware from launch daemons folder step 1
In the Go to Folder... bar, type: /Library/LaunchDaemons

removing adware from launch daemons folder step 2
In the “LaunchDaemons” folder, look for recently-added suspicious files. For example “com.aoudad.net-preferences.plist”, “com.myppes.net-preferences.plist”, "com.kuklorest.net-preferences.plist”, “com.avickUpd.plist”, etc., and move them to the Trash.

step 5 Scan your Mac with Combo Cleaner:

If you have followed all the steps in the correct order you Mac should be clean of infections. To be sure your system is not infected run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file double click combocleaner.dmg installer, in the opened window drag and drop Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates it's virus definition database and click "Start Combo Scan" button.

scan-with-combo-cleaner-1

Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide, otherwise it's recommended to remove any found infections before continuing.

scan-with-combo-cleaner-2

After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

EvilQuest virus removal from Internet browsers:

safari browser iconRemove malicious extensions from Safari:

Remove evilquest virus related Safari extensions:

safari browser preferences

Open Safari browser, from the menu bar, select "Safari" and click "Preferences...".

safari extensions window

In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.

firefox browser iconRemove malicious plug-ins from Mozilla Firefox:

Remove evilquest virus related Mozilla Firefox add-ons:

accessing mozilla firefox add-ons

Open your Mozilla Firefox browser. At the top right corner of the screen, click the "Open Menu" (three horizontal lines) button. From the opened menu, choose "Add-ons".

removing malicious add-ons from mozilla firefox

Choose the "Extensions" tab and look for any recently-installed suspicious add-ons. When located, click the "Remove" button next to it/them. Note that you can safely uninstall all extensions from your Mozilla Firefox browser - none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.

chrome-browser-iconRemove malicious extensions from Google Chrome:

Remove evilquest virus related Google Chrome add-ons:

removing malicious google chrome extensions step 1

Open Google Chrome and click the "Chrome menu" (three horizontal lines) button located in the top-right corner of the browser window. From the drop-down menu, choose "More Tools" and select "Extensions".

removing malicious Google Chrome extensions step 2

In the "Extensions" window, look for any recently-installed suspicious add-ons. When located, click the "Trash" button next to it/them. Note that you can safely uninstall all extensions from your Google Chrome browser - none are crucial for normal browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
EvilQuest virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of EvilQuest virus on your mobile device.
We Recommend:

Get rid of Mac malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner for Mac

Platform: macOS

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. Limited three days free trial available.