EvilQuest Ransomware Decryptor for Apple macOS: SentinelOne Delivers

SentinelOne, an endpoint security provider that collaborates with MSPs and MSSPs, has released a ransomware decryptor designed to protect against EvilQuest (ThiefQuest) attacks in macOS environments. The company also blocks EvilQuest attacks at machine speed across its 4,000 customers.

macOS users can leverage the decryptor to rollback their files after an EvilQuest attack, according to SentinelOne. In addition, the decryptor enables these users to avoid paying EvilQuest cyberattack ransoms.

The SentinelOne EvilQuest decryptor is now available free of charge via GitHub.

What Is EvilQuest?

EvilQuest was discovered in June 2020 by security researchers at Malwarebytes Labs. Since that time, macOS researcher Patrick Wardle has released additional details about EvilQuest and discovered several variants of the ransomware.

EvilQuest uses file encryption, data exfiltration, keylogging and other behaviors to infiltrate macOS environments, according to SentinelOne. It often leverages a table normally associated with block cipher RC2 to encrypt and lock macOS user data and files.

Furthermore, EvilQuest may have viral capabilities, Wardle noted. It also may attempt to infect existing executables in a macOS user’s home folder.

How to Combat Ransomware Attacks

The SentinelOne decryptor enables macOS users to retrieve data and files that were previously encrypted and locked during an EvilQuest attack. Meanwhile, macOS users can take various security measures to guard against EvilQuest and other ransomware attacks, such as:

  • Leverage anti-malware and antivirus software and update it regularly.
  • Use email content scanning and filters.
  • Educate employees about ransomware attacks.

How MSPs Can Mitigate Ransomware Attack Risks: To safeguard your MSP business and clientele from ransomware attacks, follow this tip sheet.


Return Home

1 Comment



    I’d like to test it but i have PC with windows, and i have files encrypted and the encription extension is .maas and any software under windows can decrypt my files, and obviously i don’t want to pay the ransom

Leave a Reply

Your email address will not be published.