SentinelOne annonounces a decryptor to mitigate EvilQuest ransomware

SentinelOne has announced a new ransomware decryptor designed to roll back the ‘EvilQuest/ThiefQuest’ ransomware currently targeting macOS users. The decryptor, developed by SentinelOne’s research division SentinelLabs. In an effort to aid the macOS community and help ransomware victims reclaim files without making ransom payments, SentinelOne released the tool on GitHub. SentinelOne blocks EvilQuest ransomware at machine speed across each of its 4,000 customers.

“Cybercriminals are eager and adept at capitalizing on any opportunity to infect a user or organization with ransomware, regardless of the party’s operating system of choice,” said Migo Kedem, Senior Director, SentinelLabs. “The challenge for macOS users is that most security vendors neglect macOS, shipping subpar and ineffective products that cannot cope with today’s threat landscape. SentinelOne strategically invested in building the market’s leading macOS security solution, and we are happy to provide this tool for any macOS user to mitigate EvilQuest ransomware.”

The EvilQuest ransomware exhibits multiple behaviors including file encryption, data exfiltration, and keylogging. However, SentinelLabs research suggests that EvilQuest is not related to public key encryption and in fact often uses a table normally associated with block cipher RC2. Knowing this, the SentinelLabs team was able to break the EvilQuest encryption routine, unlocking files and disrupting the attack chain.