Mabouia: The first ransomware in the world targeting MAC OS X

Pierluigi Paganini November 05, 2015

Rafael Salema Marques, a Brazilian researcher, published a PoC about the existence of Mabouia ransomware, the first ransomware that targets MAC OS X.

Imagine this scenario: You received a ransom warning on your computer stating that all your personal files had been locked. In order to unlock the files, you  would have to pay $500.

This is the “modus operandi” imposed usually used by ransomware (ransom +software).

Ransomware encrypts files that are virtually impossible to decrypt with the computing means available to ordinary users. The only way to decrypt the files is paying to the malware creator to retrieve the password that unlocks the files… Which is exactly what you would do if I had not held up important files.

The definition of ransomware according to Wikipedia is as follows: “type of malware that restricts access to a computer system that it infects in some ways, and demands that the user pay a ransom to the operators of the malware to remove the restriction.” There are several actives ransomware in the world today, but no one had ever been designed to target Mac OS X until yesterday.

Mabouia ransomware

Rafael Salema Marques (@pegabizu), a Brazilian Cybersecurity Researcher, published yesterday a proof of concept about the existence of Mabouia ransomware, the first ransomware that targets MAC OS X.

The researcher’s goal is to alert the 66 million users of Mac OS X about the myth that there is no malware aimed at Apple’s personal computers.

The creator of the malicious code also mentions that Mac users are a good target for ransomware, because generally have a higher purchasing power and use the computer in a superficial way, usually by editing images and texts.

The malware name Mabouia refers to a kind of endemic lizard found on the island of Fernando de Noronha – Brazil. Is coded in C++ and uses the cryptographic algorithm XTEA with 32 rounds to encrypt the user files. Furthermore, it does not need superuser privileges for the execution of malicious code, considering that the ransomware will only modify the user’s personal files. Thus infection occurs with just one click.

In the link below you can see Mabouia ransomware in action:


About the Author Rafael Salema Marques (@pegabizu)

Rafael Salema Marques is a Brazilian Cybersecurity Researcher. He is a developer who is always seeking knowledge related to programming and Cybersecurity.

Edited by Pierluigi Paganini

(Security Affairs – Mabouia ransomware, malware)

you might also like

leave a comment