This story is over 5 years old.

We Now Have Proof that Macs Can Get Ransomware

A security researcher has developed the first proof-of-concept of Mac OS X ransomware.
November 10, 2015, 1:50pm
Image: Shutterstock

Ransomware, the devilish family of malware that locks down a victim's files until he or she coughs up a hefty bounty, may soon be coming to Mac.

Last week, a Brazilian security researcher produced a proof-of-concept for what appears to be the first ransomware to target Mac operating systems (Mac OS X). On Monday, cybersecurity company Symantec verified the researcher's findings.

"Mabouia is the first case of file-based crypto ransomware for OS X, albeit a proof-of-concept," Symantec wrote in a blog post.


"It's simple code, I did it in two days," Rafael Salema Marques, the creator of the malware dubbed "Mabouia," told Motherboard in a phone interview.

It's important to note that Mabouia is not actually affecting machines. Instead, Marques wrote the code and made a demonstration video to raise awareness of the looming threat of Mac ransomware.

"The point was to warn people. Mac malware is a reality," he said. Indeed, the oft-repeated phrase "Macs don't get viruses!", a commonly held belief because the systems aren't vulnerable to the myriad of Windows-focused malware, has over the years become the butt of some computing jokes.

In reality, 2015 has seen the most Mac-focused malware yet of any year, according to a report from security companies Bit9 and Carbon Black, although many of those seemed to be fairly benign. Researchers at MalwareBytes did discover a piece of malware that targeted users of Mac OS X's Safari web browser, but it didn't actually encrypt files stored on the system: instead, it created annoying pop-ups, demanding a user pay to have them removed.

These developments, and the creation of Marques' ransomware, should shatter the image that Macs are immune to malware.

Mabouia works like most other ransomware. Once a victim's computer is infected, their files are cryptographically sealed, and the victim is given a unique identification code. Files are decrypted by logging onto the hacker's website, entering the code, and then sending the hacker a fee. In the case of Mabouia, the deadline for payment is set at 72 hours; if a victim doesn't pay before then, the encryption key for the files is destroyed, meaning they are likely lost forever.


A website for Mabouia warns that, "Even if you remove the malware from your MAC, your files will remain encrypted… So think again before doing silly actions."

Marques has also laid out several different payment tiers that a real cybercriminal might ask for to unlock files sealed by the ransomware: $50 allows a victim to recover 20 files, $70 turns that up to 100 files, and finally the "VIP Plan" decrypts all of the affected files for $100.

"They have money, because [Mac] is an expensive thing," Marques said, referring to Mac users.

Marques told Motherboard he contacted Apple about his malware, but did not receive a response. Apple did not immediately respond to Motherboard's request for comment.

It's clear that a gap in the market for Mac OS X ransomware exists for cybercriminals to fill. Who will be the first to seize that opportunity to target the estimated 60 million OS X users remains to be seen.

UPDATE, 11/10/2015, 10:21 AM ET: It turns out this might not actually be the first example of Mac OS X ransomware. After the publication of this piece, researchers pointed Motherboard to a proof-of-concept developed by Pedro Vilaça, a researcher who specializes in reverse engineering OS X malware. Two months ago, Vilaça published a proof of concept code for a Mac OS X ransomware that lacked a graphic user interface. Vilaça published it on his GitHub page with the goal of proving that it was possible to develop ransomware for OS X, but he didn't want to make a fully functional version to avoid others abusing it, he told Motherboard.