Mabouia Ransomware POC for OS X
Mabouia Ransomware POC for OS X

The rising cybersecurity threat to Mac users has taken another turn as Symantec published details of a ransomware proof-of-concept (POC) attack on OS X.

Rafael Salema Marques
Rafael Salema Marques

The Mabouia ransomware has been developed by Brazilian cybersecurity researcher Rafael Salema Marques. The goal was to show that Mac users are not immune to the threat of ransomware attacks. The code has been shared with both Symantec and Apple although the release does not say when. However, as this was a POC attack, it is likely that this happened a while back and Apple has now released a patch. We did ask Apple for a comment but have had no response so far.

Mabouia not doing anything different

The surprise with Mabouia is that is it not doing anything different to any other ransomware attack. It simply encrypts the files on the computer and sends the key to a Command and Control (C&C) server. The user gets payment instructions on the screen along with a unique ID that will help get the decryption key. Once the victim pays they get access to their files.

This is not the first attempt to use ransomware against OS X. In 2013, Malwarebytes researchers disclosed details of an browser-based attack. Users visiting an infected website were served up JavaScript that told the users their browser had been locked by the FBI. What is different here is that Mabouia is a file-based attack and therefore far more dangerous.

A YouTube video showing the attack can be found online which also points the user to a site for Rafael. Unfortunately there is no more technical details about how to detect Mabouia on his site which is disappointing.

Apple doing a good job of protecting users

Apple has worked harder than any other vendor to make it difficult for malware writers to attack its devices. Recently Apple users have seen a significant increase in the number of attacks on their devices. It must be kept in mind however, that a significant increase that is coming from a very small number of existing proven attacks still leaves Apple users far better off than Windows, Linux and Android users.

Recently Next-Generation Antivirus Technology (NGAV) Cylance talked about the challenges involved in writing security software for Apple devices. They already cover OS X but when Nick Warner, VP of Global Sales, Cylance was asked about protecting iOS he said: “We have no immediate plans for iOS. This is driven by the architecture of iOS itself. It is not possible to have a meaningful product that can sit at the level required to do prevention and detection.”

Despite this, there are vendors claiming to have Anti-Virus products for iOS, including Symantec, although Warner believes that they are nowhere near as effective as vendors would like users to believe.

Cyber-attackers always follow the money

Another reason for the limited attacks on Apple has been the lack of basic malware kits on the dark web. The vast majority of attacks are not carefully crafted by highly skilled attackers they are assembled by people with limited coding skills who buy malware kits. With Windows and Android seen as easy targets and with a lot of tools available, cyber-attackers have concentrated on where it requires the least effort to make money.

Mabouia shows that this could change. It would be interesting to know how much effort it would require for an attacker to replicate Marques’ code. There is no doubt that any kit built off of that would have a high sale price and a high take up. Apple users are seen as being more affluent as has been seen by online sales sites who have admitted to charging Apple users more for product than Windows users.

Following this logic, the unlock code would inevitably be a higher price than that for Windows. Should a kit become available then there would be a substantial increase in the number of attacks Apple users would begin to experience.


This is a welcome wake-up call for many. Most Apple users have little to no security protection on their devices, relying instead on Apple’s coding quality to protect them. In a world where cyber-attackers are always looking for the weak link, it won’t be long before the increase in attacks against Apple devices begins to represent a realistic threat for many users.

While some will feel that Marques going public on his work is unreasonable, he has at least done so ethically. He could have chosen to sell it on and make a considerable amount of money. While Apple has chosen not to respond to our requests as to the likelihood of seeing an attack like this in the wild, Symantec has.

Their Symantec Security Response team sent us the following comment:

“Macs have so far remained out of harm’s way when it comes to file-encrypting ransomware but it’s likely that will change. We know that cybercriminals are nothing if not resourceful, so it will only be a matter of time before we see someone looking to take advantage of this type of vulnerability. The easy money to be made through ransomware will motivate many. Windows users have traditionally been key targets due to the sheer volume of devices in the market, but as the number of Macs continues to grow, no doubt ransomware authors will begin to take notice.”


Please enter your comment!
Please enter your name here