Researchers at security giant Symantec have released details on what they say is confirmation that the proof-of-concept (PoC) threat known as Mabouia could be used to create functional OS X crypto ransomware.
Detected by Symantec as OSX.Ransomcrypt, Mabouia was developed by Brazilian cybersecurity researcher Rafael Salema Marques, who wrote the PoC malware to highlight the fact that Macs may not be immune to the threat of ransomware. It works by encrypting files on the infected computer and sending the encryption key to a command-and-control (C&C) server. The malware displays payment instructions on the infected computer, including a unique ID the victim would need to use to retrieve a decryption key. This key can potentially be sent to the victim upon payment of a ransom.
Because it’s a proof of concept, Mabouia only encrypts files saved in a directory called “ransom”. Most Mac users will not have a directory with this name on their computer. Marques went on to share a sample of the ransomware with Apple and Symantec with the latter’s analysis confirming that the PoC is functional. Marques said he has no intention of publicly releasing the malware.
Symantec believes that Mabouia is the first case of file-based crypto ransomware for OS X, albeit a proof-of-concept, even though Macs have nevertheless already been targeted by ransomware in the form of browser-based threats.