How to uninstall EvilQuest ransomware from your computer
Written by Tomas Meskauskas on (updated)
What is EvilQuest ransomware?
Discovered by Dinesh_Devadoss, EvilQuest (also known as ThiefQuest) is like many other malicious programs of this type - it encrypts files and creates a ransom message. In most cases, this type of malware modifies the names of encrypted files by appending certain extensions, however, this ransomware leaves them unchanged.
It drops the "READ_ME_NOW.txt" in each folder that contains encrypted data and displays another ransom message in a pop-up window. Additionally, this malware is capable of detecting if certain files are stored on the computer, operates as a keylogger, and receives commands from a Command & Control server.
The EvilQuest ransom messages state that this ransomware ensures that victims are unable to access their documents, photos, videos, images and other files by encrypting them with the AES-256 algorithm. To regain access to their files, victims must supposedly use a decryption service at a cost equivalent to $50.
The payment must be made by transferring the equivalent amount of Bitcoins to the provided BTC wallet address. It is stated that victims have 72 hours to make the payment, after which it will no longer be possible to recover encrypted files. Files should be decrypted within two hours of payment.
In summary, victims are informed that it is impossible to decrypt files without paying a ransom. Most ransomware-type programs encrypt files with strong encryption algorithms, and only the cyber criminals behind them have valid tools that can decrypt files.
Despite this, you are strongly advised not to trust any cyber criminals behind ransomware attacks - victims who pay the ransoms do not receive anything in return and are scammed. In such cases, the only and free way to recover files is to restore them from a backup.
It is possible to prevent installed ransomware from causing further file encryption by removing it, however, already affected files remain inaccessible even after uninstallation. As mentioned, EvilQuest can detect some files, such as .wallet.pdf, wallet.png, *.p12 and key.png.
It is can also receive commands from a Command & Control server and execute them, log keystrokes and execute modules directly from memory. The keylogging feature allows cyber criminals to record pressed keys, and thus EvilQuest can be used to steal typed sensitive information such as credit card details, usernames, passwords and so on.
These information can be misused to steal identities and accounts, make fraudulent transactions and purchases, and for other malicious purposes. This malware is also capable of checking if it is running in a 'virtual machine' and checking if there are any security tools (e.g., Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, Bullguard) installed on the operating system.
| Name | EvilQuest virus |
| Threat Type | Ransomware, Crypto Virus, Files locker. |
| Ransom Demand Message | READ_ME_NOW.txt, pop-up window. |
| Ransom Amount | $50 in Bitcoins |
| BTC Wallet Address | 13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7 |
| Detection Names | Ad-Aware (Trojan.GenericKD.34092962), BitDefender (Trojan.GenericKD.34092962), ESET-NOD32 (OSX/Filecoder.I), Microsoft (Ransom:MacOS/Filecoder.YA!MTB), Full List Of Detections (VirusTotal) |
| Symptoms | Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files. |
| Additional Information | There is no way to contact cyber criminals behind this ransomware. |
| Distribution methods | Infected email attachments (macros), torrent websites, malicious ads. |
| Damage | All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing Trojans and malware infections can be installed together with a ransomware infection. |
| Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Note that, in most cases, ransomware targets Windows Operating Systems. Some examples of other malware of this type include Lxhlp, Zida and .HOW. Typically, it encrypts files and displays and/or creates a ransom message. Main differences are cost of decryption (size of ransom) and encryption algorithm (symmetric or asymmetric) that ransomware uses to render files inaccessible.
Victims can restore files free of charge/without having to contact or pay cyber criminals only when ransomware contains vulnerabilities (bugs, flaws). Unfortunately, this is rare, and the only other way to recover files after a ransomware attack is to restore them from a backup.
Therefore, you are advised to maintain backups on remote servers (such as Cloud) or unplugged storage devices.
How did ransomware install on my computer?
Research shows that this particular ransomware is distributed through pirated versions of popular macOS software. An example is the pirated version of Mix In Key software. EvilQuest is also distributed through a malicious, unofficial Little Snitch installer. Typically, pirated software is available for download on torrent websites and other dubious download pages.
Other popular ways that cyber criminals use to proliferate ransomware (and other malware) are via spam campaigns, Trojans, fake software updaters, and other rogue software download sources/channels or 'cracking' tools. Using spam campaigns, they send emails that contain malicious attachments or web links designed to download malicious files.
Their main goal is to deceive recipients into opening the attachment/file, which then causes installation of malicious software. Some examples of files that cyber criminals attach to their emails are malicious Microsoft Office, PDF documents, archive files (RAR, ZIP), executable files (.exe), and JavaScript files. Trojans are malicious programs that can cause damage simply by installing other malware - after installation they cause chain infections.
Fake (unofficial) software updaters install malicious programs rather than the updates fixes, or by exploiting bugs/flaws of outdated software that is installed on the computer. Examples of dubious file/software download channels are Peer-to-Peer networks (eMule) free file hosting websites, freeware download pages, third party downloaders, and other sources of this type.
Generally, malicious files are disguised as regular and harmless. When users download and execute them, they infect their computers with malware. Software 'cracking' tools supposedly help users to bypass activation of licensed software (activate it free of charge), however, they simply install malicious software (such as ransomware) instead.
How to avoid installation of malware
You are strongly advised not to trust irrelevant emails that are received from unknown, suspicious addresses. If they contain attachments (or web links), they should never be opened. Note that emails sent by cyber criminals are often disguised as important, official, and legitimate.
Update and activate installed software only with implemented functions or tools from official software developers. Unofficial activators and updaters infect computers with malware. Furthermore, the use of 'cracking' tools is illegal when activating any licensed software.
Download files and programs only from official websites. Third party downloaders (and installers), unofficial pages, and Peer-to-Peer networks should not be trusted. Regularly scan the computer with a reputable anti-spyware or antivirus suite, and keep this software up to date.
If your computer is already infected with PUAs, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate them.
Text in a pop-up window:
Your files are encrypted
Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted.
Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.
We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees.
Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop
Screenshot of "READ_ME_NOW.txt" ransom message:
Text in this message:
YOUR IMPORTANT FILES ARE ENCRYPTED
Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service.
We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement).
Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included.
In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever.
Payment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is:13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7
Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored.
THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE
Screenshot of files encrypted by EvilQuest:
Malicious installer designed to install EvilQuest:
List of files related to this installer:
- ~/Library/mixednkey/toolroomd
- ~/Library/AppQuest/com.apple.questd
- ~/Library/LaunchAgents/com.apple.questd.plist
Bear in mind that downloading software from dubious Torrent sites (such as ThePirateBay) is likely to lead to system infections:
Update 8 July 2020 - Cybersecurity company SentinelOne has recently released a decryption tool designed to restore data encrypted by EvilQuest (ThiefQuest) ransomware and, therefore, victims can easily restore their data without paying. You can download the tool and find its manual on SentinelOne's GitHub web page.
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is "EvilQuest"?
- STEP 1. Remove PUA related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Potentially unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Remove adware-related files and folders
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...
Check for adware generated files in the /Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: /Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the ~/Library/Application Support/ folder:
In the Go to Folder... bar, type: ~/Library/Application Support/
In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.
Check for adware generated files in the ~/Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: ~/Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the /Library/LaunchDaemons/ folder:
In the "Go to Folder..." bar, type: /Library/LaunchDaemons/
In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Remove malicious extensions from Internet browsers
Remove malicious Safari extensions:
Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".
In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious extensions from Google Chrome:
Click the Chrome menu icon 
(at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Remove malicious extensions from Mozilla Firefox:
Click the Firefox menu 
(at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
Outstanding!
▼ Show Discussion