Will macOS protect you from ransomware like ThiefQuest?

Just a week after security researchers discovered what the macOS ransomware ThiefQuest (alias EvilQuest) does, Apple pushed an update to XProtect which detects that malware, although you won’t find that documented by Apple. What’s unfortunate is that those who most need this additional protection are also those least likely to benefit from it. Let me explain.

Like much recent malware, ThiefQuest is being distributed with ‘warez’, pirated software products delivered by BitTorrent. So far, it doesn’t appear to have been provided by any secure servers, so is most unlikely to arrive in the next app update you might obtain using Safari. As a result, ThiefQuest and its host arrive without the benefit of a quarantine flag.

Until Catalina, previous versions of macOS have only subjected quarantined items to Gatekeeper checks, and then only the first time that their software is run from the Finder (or another mechanism which invokes LaunchServices). This is diagrammed below.


If you’ve just installed the updated XProtect data and then open a BitTorrent download using Mojave’s Finder, because the download’s quarantine flag isn’t normally set by BitTorrent clients, XProtect won’t be called to check that download, and ThiefQuest will be free to attack your Mac.

Catalina works quite differently. Although the quarantine flag still initiates full first run checks, including an XProtect scan, the latter still takes place whenever you launch an app or other software, including command tools. The macOS 10.15 security system will also check notarization on most software, and if that’s absent, will warn you and refuse to open it by simple double-clicking. This new process is shown in the diagram below.


In the case that your download contains the first distributed version of ThiefQuest, XProtect should detect the malware, warn you, and refuse to open the download and its components, even in the absence of a quarantine flag. Only in Catalina, though.

There’s one further catch too: as Patrick Wardle discovered, this latest update to XProtect only detects the first version of ThiefQuest. Since that emerged at the end of June, a second version has appeared, and according to Patrick this isn’t detected yet by XProtect’s updated signature data. Apple is expected to push a further patch to XProtect’s data in the near future, so that it can detect this new variant. Whether this will continue as a game of cat and mouse remains to be seen.

Unless ThiefQuest changes its delivery vector, best protection from it is not to download any torrent. If you really have to, then the only ‘safe’ way of doing so is to run your BitTorrent client within a macOS Virtual Machine, using software such as VMware or Parallels, and to ensure that anything you download remains within that VM, and has no access to your Mac beyond it.

Best protection against malware such as ThiefQuest is provided by macOS Catalina and, in the future, Big Sur. Their changed security behaviour ensures that all apps and command tools get an XProtect scan when they’re opened, and give that protection the best chance to detect any malware. Mojave and earlier now give developers of malicious software too much freedom to exploit their weaknesses, and take over your Mac. In the case of ransomware, the consequences could be devastating.

Although there are many valuable third-party security products which can detect and block malware such as ThiefQuest, their protection against ransomware may not be as effective as you assume. For example, a software firewall such as Little Snitch doesn’t normally stop malware from being installed on your Mac, neither will it necessarily prevent ransomware from encrypting critically important files. Keeping multiple backups, including at least one set which isn’t left connected to your Mac, also doesn’t prevent a ransomware attack, but it can make recovery a great deal easier.

Additional protection against ThiefQuest is available from Patrick Wardle’s BlockBlock and RansomWhere? and from better commercial anti-malware products, but they should be seen as enhancements of effective primary protection, not crutches which let you bypass safe practice. However, research into what ThiefQuest actually does is still in progress. Thomas Reed’s latest article on the subject is recommended reading.

Malware is designed to exploit human weaknesses and older, weaker security protection. Don’t let it exploit you.


Thank you to @danielwithmusic for pointing out that Transmission, the popular BitTorrent client, has added quarantine flags to files that it downloads since 2012. However, I believe that other clients still don’t do so. You might wish to check any you use, and ensure that you don’t remove them.