How Can Ransomware Steal Data from Mac Storage Drive?

Mac is quite safe against viruses and malware thanks to macOS security features, such as Gatekeeper and file quarantine that help protect your system from such threats. But, it’s always good to take preemptive measures to avoid infecting your Mac.

In July 2020, a new ransomware named ThiefQuest was found embedded in Little Snitch and other Mac software on a Russian torrent forum Runtracker. It could steal specific file types from an infected Mac before encrypting the drive’s data. The virus shows a message with a ransom of $50 in bitcoins, which is to be paid within 72 hours (3 days) to decrypt the encrypted files; otherwise, the files will be wiped off.


As a Mac user, you must be keen to know more about such data-stealing ransomware and the measures that you can take to avert or recover from any ransomware infection. Here, you’ll find your queries answered.

What Is Ransomware?

Ransomware is malicious software that blocks access to the infected Mac or encrypts files present on the Mac storage drive. To unlock the Mac or decrypt the encrypted Mac files, the affected Mac user is compelled to pay ransom to the developer of the virus.

How ThiefQuest Ransomware Works?

When you run any pirated software that packaged the ThiefQuest virus script alongside the leading software, your Mac immediately gets infected with the virus. The malware uses a text file (http://andrewka6.pythonanywhere[.]com/ret.txt) to know the control server information and command to transfer data. Next, the virus encrypts your Mac storage drive files, then shows the ransom text message.

How to Avoid Ransomware Infection on Mac?

It would help if you do the following to avert or preempt your Mac from ransomware infection:

  • Don’t open an email attachment from an unauthorized email ID.
  • Don’t click any suspicious link from an email or pop-up window.
  • Don’t download and install any pirated software on your Mac.
  • Don’t use any patching tool to use unregistered software.
  • Always download software from the official or trusted website.
  • Create 3 copies of files, store 2 on distinct media types & keep 1 copy offsite.
  • Use drive cloner software to clone your Mac hard drive.
  • Disconnect the connected or networked backup drive when the backup is over.
  • Use an antivirus software for Mac to scan your Mac drive regularly.
  • Install a ransomware monitoring app to halt any encryption process.

When your Mac is infected with ThiefQuest ransomware, don’t panic and don’t pay the ransom as there is no way you can contact the developer to get the decoder and the decryption key to resume normal access to your Mac and Mac files. Instead, try the following methods to recover your data from ransomware infected Mac.

Remove Ransomware from Your Mac by Using Antivirus software

In case the ThiefQuest ransomware has encrypted your files, scan the Mac hard drive by using antivirus software to search and delete the ransomware. For that, you can directly install antivirus software on your infected Mac if it is accessible. Or else, use Target Disk Mode to access the infected Mac hard drive. Alternatively, if your Mac is not in the warranty period, you can even remove the internal Mac storage device and connect it as an external drive to a working Mac to scan the drive for malware.

Recover Data Lost due to Ransomware by Using Time Machine

When you’ve backed up your Mac before Ransomware affected the system and disconnected the backup medium, you can restore your files and folders from the Time Machine backup drive to your Mac storage drive. Steps are as follows:

  • Connect your Time Machine backup drive to your Mac.
  • Power on your Mac, then press and hold the Command + R keys. Release them when the Apple logo appears. Your Mac will now boot into macOS Recovery mode.
  • From the 'macOS Utilities' window, select Restore From Time Machine Backup. Click Continue.

    macOS Utilities
    Figure: Restore From Time Machine Backup

  • Perform the on-screen instructions to restore your data to your Mac from the Time Machine backup drive.

This method is helpful if you do have a Time Machine backup. In the absence of backup, try the next data recovery technique.

Recover Ransomware Deleted Data by Using Data Recovery Software

Possibly, the ransomware creates encoded data from the files stored on your Mac, then deletes the original instead of overwriting the existing files. This allows you to retrieve the non-encrypted but deleted files from the infected Mac. Steps are as follows:

  • Download and install Stellar Data Recovery Professional for Mac on your MacBook, iMac, or Mac mini.
    Free Download
  • Select the type of data that you lost from your Mac, then click Next. Select the storage drive, toggle on Deep Scan, and then click Scan.
  • Wait until the scan is over. Click the Deleted List tab. Preview the deleted files and select all those that you need to recover then click Recover.
  • Click Browse to specify a distinct save destination, preferably an external storage drive, then click Save. Wait until the save completes.
  • Go to the save location to verify the recovered data.

Conclusion

Your macOS has robust security features to protect your Mac from any virus and malware attack. Even so, it would help if you took preemptive measures to prevent ransomware infection. In case your Mac files are encrypted due to ransomware, immediately scan your Mac drive by using an antivirus to remove the virus.

To get back your file lost due to encryption, use your Time Machine backup drive. If you don’t have a Time Machine backup, you may try a Mac data recovery software to recover your lost data from your virus affected Mac storage drive. If antivirus can’t remove the virus infection from your Mac, format the Mac, reinstall macOS, and restore your recovered data to the Mac.



Was this article helpful?
About The Author
author image
Santosh Kumar Gupta linkdin Icon

Data recovery expert on Mac & Windows platforms, with 10-year experience in writing

Table of Contents

WHY STELLAR® IS GLOBAL LEADER

Why Choose Stellar?
  • 0M+

    Customers

  • 0+

    Years of Excellence

  • 0+

    R&D Engineers

  • 0+

    Countries

  • 0+

    PARTNERS

  • 0+

    Awards Received