Remove EvilQuest Mac Ransomware And Recover Encrypted Files

Tips To Delete EvilQuest Mac Ransomware From PC

EvilQuest Mac Ransomware is a type of highly dangerous file-encrypting malware which is targeting Mac computers in wild. Con artists have specially developed this hazardous threat with their sole motive to encrypt users’ crucial files and data extort a huge amount of illicit revenues from them. Like any other crypto-viruses, it also first enters the targeted devices by stealth and then makes critical changes in registry settings in order to get automatically activated every time the machine is started. Besides locking users’ essential files, it conducts many other malicious activities in the affected PCs that we will discuss later on in this content.

Depth Analysis of EvilQuest Mac Ransomware:

EvilQuest Mac Ransomware was first spotted by security expert Dinesh_Devadoss and mainly targets Mac users. It uses a very powerful and effective cryptography to lock the targeted data and makes them completely inaccessible. Unlike other ransomware programs which rename the compromised files after encrypting them by appending a specific extension, this particular virus leaves them unchanged. It is capable of infecting files of various types including images, videos, audios, documents, PDFs, spreadsheets etc. and making them totally useless. Moreover, this precarious malware is able to detect if certain files are kept on a system. It executes as a keylogger and obtains some commands from Command & Control server.

Following successful encryption, EvilQuest Mac Ransomware leaves a ransom note named “READ_ME_NOW.txt” in each folder that contains the infected data and also displays a pop-window. These notes inform the affected people regarding the attack and also provide the file-recovery application. Victims are asked to buy the decryption tool from the attackers which costs $50. The payment has to be made in BitCoins cryptocurrency and has to transfer is crooks’ BTC wallet address. You will have to make the payment within 72 hours after that, the decryption will be impossible. Victims are promised that once the transfer is done, the encrypted data will be unlocked within 2 hours.

Text Presented In The Pop-up Window:

Your files are encrypted

Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted.

Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees.

Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file:  READ_ME_NOW.txt  located on your Desktop

Text Presented in “READ_ME_NOW.txt” File:

YOUR IMPORTANT FILES ARE ENCRYPTED

Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service.

We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don’t believe this statement).

Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there’s a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included.

In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever.

Payment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is:

                    13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7

Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored.

THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE

Should You Pay The Ransom?

EvilQuest Mac Ransomware doesn’t leave any option to you other than dealing with the criminals but still, we highly advise to not do so. Keep in mind that the only purpose of such hackers is to extort illicit revenues from the victimized people; you have absolutely no guarantee that they will deliver the required tool even after taking the ransom. As per the reports, such kind of criminals generally ignore the victims once the transaction is done and cause them to lose both files as well as money. Additionally, even if they deliver the tool that works, the malware will remain in the PC and can strike again for further benefits. And hence, never make any sort of payment to the hackers under any situation and perform an instant removal of EvilQuest Mac Ransomware from the computer as soon as possible.

How To Recover The Infected Data?

This precarious ransomware has been observed to be able to delete the shadow volume copies (temporary backups made by OS itself) of the compromised files which makes the data recovery process even more complex. For this, you can use backup made on any external drive or in its absence, try a strong file-recovery application that you can download right here via the link provided under this article. Moreover, experts strongly recommend users to keep making regular backups by the help of which, they can easily recover the compromised data if such perilous situation occurs whenever.

Ways To Spread EvilQuest Mac Ransomware:

There are various illusive tactics through which such types of ransomware programs sneak into the targeted PCs but the most common one is spam email campaign. You often receive emails from unknown sender that are presented as ‘important’ or ‘vital’ but include malevolent attachments or websites links that are designed to download some precarious files. Such attachments are generally MS office documents, archive files like ZIP and RAR, executable files like .exe and JavaScript files etc. Once you click on the mail and open those attachments, it leads to the malware intrusion. And therefore, it is necessary to ignore suspicious mails coming from unknown source as you never know what they are containing.

Quick Glance

Name: EvilQuest Mac Ransomware

Type: Mac virus, Ransomware, Crypto-virus

Description– Dangerous malware which encrypts users’ crucial files and then asks them to pay the criminals an amount of ransom to get the decryption key/tool.

Ransom demanding message– “READ_ME_NOW.txt”, pop-up window

BitCoins Wallet Address– 13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7

Symptoms: Users can not open files available on their desktop, previously functional files now have different extensions, A ransom demanding message is displayed on the desktop screen. Users are asked to pay an amount of ransom to unlock their encoded data and files.

Distribution methods: Spam emails, Torrent websites, peer to peer network sharing, unofficial activation and updating tools.

Damage: All files are encrypted and cannot be accessed without paying ransom, Additional password stealing Trojans and malware infections can be installed along with ransomware infections and other malware.

Removal: To remove this virus from the system, we advise you to use a reliable anti-malware tool. Once malware gets removed, you can recover your files by using existing backup or data-recovery software.

Other Common Symptoms of EvilQuest Mac Ransomware:

EvilQuest Mac Ransomware can be also responsible for the penetration of many other hazardous threats such as adware, rootkits, Trojans, worms, spyware etc. in your computer as well since it has ability to disable the working of all the running security tools and open backdoors for them. Apart from locking your essential data, it also creates tons of junk files in the hard drive of your system which consumes enormous amount of memory resources and drags down the overall PC performance severely. This hazardous malware ruins important system files that are necessary for smooth computer functioning and prevents many installed apps as well as drivers from working in a proper manner. And therefore, to prevent all these hazards from being occurred, you are strongly recommended to remove EvilQuest Mac Ransomware from the device without wasting any time.

Remove Files and Folders Related to EvilQuest Mac Ransomware

Open the “Menu” bar and click the “Finder” icon. Select “Go” and click on “Go to Folder…”

Step 1: Search the suspicious and doubtful malware generated files in /Library/LaunchAgents folder

Type /Library/LaunchAgents in the “Go to Folder” option

In the “Launch Agent” folder, search for all the files that you have recently downloaded and move them to “Trash”. Few of the examples of files created by browser-hijacker or adware are as follow, “myppes.download.plist”, “mykotlerino.Itvbit.plist”, installmac.AppRemoval.plist”, and “kuklorest.update.plist” and so on.

Step 2: Detect and remove the files generated by the adware in “/Library/Application” Support folder

In the “Go to Folder..bar”, type “/Library/Application Support”

Search for any suspicious newly added folders in “Application Support” folder. If you detect any one of these like “NicePlayer” or “MPlayerX” then send them to “Trash” folder.

Step 3: Look for the files generated by malware in /Library/LaunchAgent Folder:

Go to Folder bar and type /Library/LaunchAgents

You are in the “LaunchAgents” folder. Here, you have to search for all the newly added files and move them to “Trash” if you find them suspicious. Some of the examples of suspicious files generated by malware are “myppes.download.plist”, “installmac.AppRemoved.plist”, “kuklorest.update.plist”, “mykotlerino.ltvbit.plist” and so on.

Step4: Go to /Library/LaunchDaemons Folder and search for the files created by malware

Type /Library/LaunchDaemons in the “Go To Folder” option

In the newly opened “LaunchDaemons” folder, search for any recently added suspicious files and move them to “Trash”. Examples of some of the suspicious files are “com.kuklorest.net-preferences.plist”, “com.avickUpd.plist”, “com.myppes.net-preference.plist”, “com.aoudad.net-preferences.plist” and so on.

Step 5: Use Combo Cleaner Anti-Malware and Scan your Mac PC

The malware infections could be removed from the Mac PC if you execute all the steps mentioned above in the correct way. However, it is always advised to be sure that your PC is not infected. It is suggested to scan the work-station with “Combo Cleaner Anti-virus”.

Once the file gets downloaded, double click on combocleaner.dmg installer in the newly opened window. Next is to open the “Launchpad” and press on “Combo Cleaner” icon. It is advised to wait until “Combo Cleaner” updates the latest definition for malware detection. Click on “Start Combo Scan” button.

A depth scan of your Mac PC will be executed in order to detect malware. If the Anti-virus scan report says “no threat found” then you can continue with guide further. On the other hand, it is recommended to delete the detected malware infection before continuing.

Now the files and folders created by the adware is removed, you have to remove the rogue extensions from the browsers.

Remove EvilQuest Mac Ransomware from Internet Browsers

Delete Doubtful and Malicious Extension from Safari

Go to “Menu Bar” and open “Safari” browser. Select “Safari” and then “Preferences”

In the opened “preferences” window, select “Extensions” that you have recently installed. All such extensions should be detected and click the “Uninstall” button next to it. If you are doubtful then you can remove all the extensions from “Safari” browser as none of them are important for smooth functionality of the browser.

In case if you continue facing unwanted webpage redirections or aggressive advertisements bombarding, you can reset the “Safari” browser.

“Reset Safari”

Open the Safari menu and choose “preferences…” from the drop-down menu.

Go to the “Extension” tab and set the extension slider to “Off” position. This disables all the installed extensions in the Safari browser

Next step is to check the homepage. Go to “Preferences…” option and choose “General” tab. Change the homepage to your preferred URL.

Also check the default search-engine provider settings. Go to “Preferences…” window and select the “Search” tab and select the search-engine provider that you want such as “Google”.

Next is to clear the Safari browser Cache- Go to “Preferences…” window and select “Advanced” tab and click on “Show develop menu in the menu bar.“

Go to “Develop” menu and select “Empty Caches”.

Remove website data and browsing history. Go to “Safari” menu and select “Clear History and Website Data”. Choose “all history” and then click on “Clear History”.

Remove Unwanted and Malicious Plug-ins from Mozilla Firefox

Delete EvilQuest Mac Ransomware add-ons from Mozilla Firefox

Open the Firefox Mozilla browser. Click on the “Open Menu” present in the top right corner of the screen. From the newly opened menu, choose “Add-ons”.

Go to “Extension” option and detect all the latest installed add-ons. Select each of the suspicious add-ons and click on “Remove” button next to them.

In case if you want to “reset” the Mozilla Firefox browser then follow the steps that has been mentioned below.

Reset Mozilla Firefox Settings

Open the Firefox Mozilla browser and click on “Firefox” button situated at the top left corner of the screen.

In the new menu, go to “Help” sub-menu and choose “Troubleshooting Information”

In the “Troubleshooting Information” page, click on “Reset Firefox” button.

Confirm that you want to reset the Mozilla Firefox settings to default by pressing on “Reset Firefox” option

The browser will get restarted and the settings changes to factory default

Delete Unwanted and Malicious Extensions from Google Chrome

Open the chrome browser and click on “Chrome menu”. From the drop down option, choose “More Tools” and then “Extensions”.

In the “Extensions” option, search for all the recently installed add-ons and extensions. Select them and choose “Trash” button. Any third-party extension is not important for the smooth functionality of the browser.

Reset Google Chrome Settings

Open the browser and click on three line bar at the top right side corner of the window.

Go to the bottom of the newly opened window and select “Show advanced settings”.

In the newly opened window, scroll down to the bottom and choose “Reset browser settings”

Click on the “Reset” button on the opened “Reset browser settings” window

Restart the browser and the changes you get will be applied

The above mentioned manual process should be executed as it is mentioned. It is a cumbersome process and requires a lot of technical expertise. And hence it is advised for technical experts only. To be sure that your PC is free from malware, it is better that you scan the work-station with a powerful anti-malware tool. The automatic malware removal application is preferred because it doesn’t requires any additional technical skills and expertise.

Download the application and execute it on the PC to begin the depth scanning. Once the scanning gets completed, it shows the list of all the files related to EvilQuest Mac Ransomware. You can select such harmful files and folders and remove them immediately.