Part of the encryption causes the Finder not to work properly and the system crashes constantly. Once the malicious code is activated, it modifies the system and user files with unknown encryption. Malwarebytes notes that it takes some time before the ransomware starts working after it’s installed, so the user won’t associate it with the latest app installed. The set location is: /Library/LittleSnitchd/CrashReporter.

The script file is copied to a folder related to the Little Snitch app under the name CrashReporter, so the user won’t notice it running in the Activity Monitor since macOS has an internal app with a similar name. In this case, however, the script implements malware in macOS. The downloaded app comes with a PKG installer file, unlike its original version.īy examining this PKG file, Malwarebytes discovered that the app comes with a “postinstall script,” which is typically used to clean up the installation after the process is completed. The malicious code was first found in a pirate copy of the Little Snitch app available on a Russian forum with torrent links.

Malwarebytes has analyzed the ransomware today, which is being distributed through macOS pirate apps. Mac users are now exposed to a new “ThiefQuest” ransomware that encrypts files and causes multiple issues with the operating system.