FacebookTwitterLinkedIn

How to uninstall EvilQuest ransomware from your computer

Also Known As: EvilQuest virus
Type: Mac Virus
Damage level: Severe

What is EvilQuest ransomware?

Discovered by Dinesh_Devadoss, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.

It drops the "READ_ME_NOW.txt" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.

EvilQuest ransom note (pop-up window)

The EvilQuest ransom messages state that this ransomware ensures that victims are unable to access their documents, photos, videos, images and other files by encrypting them with the AES-256 algorithm. To regain access to their files, victims must supposedly use a decryption service at a cost equivalent to $50.

The payment must be made by transferring the equivalent amount of Bitcoins to the provided BTC wallet address. It is stated that victims have 72 hours to make the payment, after which it will no longer be possible to recover encrypted files. Files should be decrypted within two hours of payment.

In summary, victims are informed that it is impossible to decrypt files without paying a ransom. Most ransomware-type programs encrypt files with strong encryption algorithms, and only the cyber criminals behind them have valid tools that can decrypt files.

Despite this, you are strongly advised not to trust any cyber criminals behind ransomware attacks - victims who pay the ransoms do not receive anything in return and are scammed. In such cases, the only and free way to recover files is to restore them from a backup.

It is possible to prevent installed ransomware from causing further file encryption by removing it, however, already affected files remain inaccessible even after uninstallation. As mentioned, EvilQuest can detect some files, such as .wallet.pdf, wallet.png, *.p12 and key.png.

It is can also receive commands from a Command & Control server and execute them, log keystrokes and execute modules directly from memory. The keylogging feature allows cyber criminals to record pressed keys, and thus EvilQuest can be used to steal typed sensitive information such as credit card details, usernames, passwords and so on.

These information can be misused to steal identities and accounts, make fraudulent transactions and purchases, and for other malicious purposes. This malware is also capable of checking if it is running in a 'virtual machine' and checking if there are any security tools (e.g., Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, Bullguard) installed on the operating system.

Threat Summary:
Name EvilQuest virus
Threat Type Ransomware, Crypto Virus, Files locker.
Ransom Demand Message READ_ME_NOW.txt, pop-up window.
Ransom Amount $50 in Bitcoins
BTC Wallet Address 13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7
Detection Names Ad-Aware (Trojan.GenericKD.34092962), BitDefender (Trojan.GenericKD.34092962), ESET-NOD32 (OSX/Filecoder.I), Microsoft (Ransom:MacOS/Filecoder.YA!MTB), Full List Of Detections (VirusTotal)
Symptoms Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files.
Additional Information There is no way to contact cyber criminals behind this ransomware.
Distribution methods Infected email attachments (macros), torrent websites, malicious ads.
Damage All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing Trojans and malware infections can be installed together with a ransomware infection.
Malware Removal (Mac)

To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner.
▼ Download Combo Cleaner for Mac
To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Note that, in most cases, ransomware targets Windows Operating Systems. Some examples of other malware of this type include Lxhlp, Zida and .HOW. Typically, it encrypts files and displays and/or creates a ransom message. Main differences are cost of decryption (size of ransom) and encryption algorithm (symmetric or asymmetric) that ransomware uses to render files inaccessible.

Victims can restore files free of charge/without having to contact or pay cyber criminals only when ransomware contains vulnerabilities (bugs, flaws). Unfortunately, this is rare, and the only other way to recover files after a ransomware attack is to restore them from a backup.

Therefore, you are advised to maintain backups on remote servers (such as Cloud) or unplugged storage devices.

How did ransomware install on my computer?

Research shows that this particular ransomware is distributed through pirated versions of popular macOS software. An example is the pirated version of Mix In Key software. EvilQuest is also distributed through a malicious, unofficial Little Snitch installer. Typically, pirated software is available for download on torrent websites and other dubious download pages.

Other popular ways that cyber criminals use to proliferate ransomware (and other malware) are via spam campaigns, Trojans, fake software updaters, and other rogue software download sources/channels or 'cracking' tools. Using spam campaigns, they send emails that contain malicious attachments or web links designed to download malicious files.

Their main goal is to deceive recipients into opening the attachment/file, which then causes installation of malicious software. Some examples of files that cyber criminals attach to their emails are malicious Microsoft Office, PDF documents, archive files (RAR, ZIP), executable files (.exe), and JavaScript files. Trojans are malicious programs that can cause damage simply by installing other malware - after installation they cause chain infections.

Fake (unofficial) software updaters install malicious programs rather than the updates fixes, or by exploiting bugs/flaws of outdated software that is installed on the computer. Examples of dubious file/software download channels are Peer-to-Peer networks (eMule) free file hosting websites, freeware download pages, third party downloaders, and other sources of this type.

Generally, malicious files are disguised as regular and harmless. When users download and execute them, they infect their computers with malware. Software 'cracking' tools supposedly help users to bypass activation of licensed software (activate it free of charge), however, they simply install malicious software (such as ransomware) instead.

How to avoid installation of malware

You are strongly advised not to trust irrelevant emails that are received from unknown, suspicious addresses. If they contain attachments (or web links), they should never be opened. Note that emails sent by cyber criminals are often disguised as important, official, and legitimate.

Update and activate installed software only with implemented functions or tools from official software developers. Unofficial activators and updaters infect computers with malware. Furthermore, the use of 'cracking' tools is illegal when activating any licensed software.

Download files and programs only from official websites. Third party downloaders (and installers), unofficial pages, and Peer-to-Peer networks should not be trusted. Regularly scan the computer with a reputable anti-spyware or antivirus suite, and keep this software up to date.

If your computer is already infected with PUAs, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.

Text in a pop-up window:

Your files are encrypted

 

Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted.

 

Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees.

 

Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file:  READ_ME_NOW.txt  located on your Desktop

Screenshot of "READ_ME_NOW.txt" ransom message:

EvilQuest ransom note (READ_ME_NOW.txt)

Text in this message:

YOUR IMPORTANT FILES ARE ENCRYPTED

 

Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service.

 

We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement).
Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included.
In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever.
Payment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is:

                    13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7

 

Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored.

 

THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE

Screenshot of files encrypted by EvilQuest:

Files encrypted by EvilQuest ransomware

Malicious installer designed to install EvilQuest:

evilquest ransomware installer

List of files related to this installer:

  • ~/Library/mixednkey/toolroomd
  • ~/Library/AppQuest/com.apple.questd
  • ~/Library/LaunchAgents/com.apple.questd.plist

Bear in mind that downloading software from dubious Torrent sites (such as ThePirateBay) is likely to lead to system infections:

EvilQuest ransomware distributed via Torrent sites

Update 8 July 2020 - Cybersecurity company SentinelOne has recently released a decryption tool designed to restore data encrypted by EvilQuest (ThiefQuest) ransomware and, therefore, victims can easily restore their data without paying. You can download the tool and find its manual on SentinelOne's GitHub web page.

Instant automatic Mac malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.

Quick menu:

Video showing how to remove adware and browser hijackers from a Mac computer:

Potentially unwanted applications removal:

Remove potentially unwanted applications from your "Applications" folder:

mac browser hijacker removal from applications folder

Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.

Remove adware-related files and folders

Mac Go To Folder step

Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...

Mac removing related files and folders - step 1Check for adware generated files in the /Library/LaunchAgents/ folder:

Mac go to /Library/LaunchAgents - step 1

In the Go to Folder... bar, type: /Library/LaunchAgents/

Mac go to /Library/LaunchAgents - step 2

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Mac removing related files and folders - step 2Check for adware generated files in the ~/Library/Application Support/ folder:

Mac go to /Library/Application Support - step 1

In the Go to Folder... bar, type: ~/Library/Application Support/

Mac go to /Library/Application Support - step 2

In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.

Mac removing related files and folders - step 3Check for adware generated files in the ~/Library/LaunchAgents/ folder:

Mac go to ~/Library/LaunchAgents - step 1

In the Go to Folder... bar, type: ~/Library/LaunchAgents/

Mac go to ~/Library/LaunchAgents - step 2

In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.

Mac removing related files and folders - step 4Check for adware generated files in the /Library/LaunchDaemons/ folder:

Mac go to /Library/LaunchDaemons - step 1

In the "Go to Folder..." bar, type: /Library/LaunchDaemons/

Mac go to /Library/LaunchDaemons - step 2

In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.

Mac removing malware related files and folders - step 5Scan your Mac with Combo Cleaner:

If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.

Mac remove malware with Combo Cleaner - step 1

Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.

Mac remove malware with Combo Cleaner - step 2

After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.

Remove malicious extensions from Internet browsers

Safari iconRemove malicious Safari extensions:

Removal of malicious extensions in Safari - step 1

Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".

Removal of malicious extensions in Safari - step 2

In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.

Google Chrome logoRemove malicious extensions from Google Chrome:

Removal of malicious extensions in Google Chrome - step 1

Click the Chrome menu icon Google Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".

Removal of malicious extensions in Google Chrome - step 2

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.

Mozilla Firefox logoRemove malicious extensions from Mozilla Firefox:

Removal of malicious extensions in Mozilla Firefox - step 1

Click the Firefox menu firefox menu icon (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".

Removal of malicious extensions in Mozilla Firefox - step 2

  • If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.

▼ Show Discussion

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for pcrisk.com since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Removal Instructions in other languages
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
EvilQuest virus QR code
Scan this QR code to have an easy access removal guide of EvilQuest virus on your mobile device.
We Recommend:

Get rid of Mac malware infections today:

▼ REMOVE IT NOW
Download Combo Cleaner for Mac

Platform: macOS

Editors' Rating for Combo Cleaner:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.