Analysis by Symantec has confirmed that the proof-of-concept (PoC) threat known as Mabouia works as described and could be used to create functional OS X crypto ransomware if it fell into the wrong hands.
Mabouia (detected by Symantec as OSX.Ransomcrypt) was developed by Brazilian cybersecurity researcher Rafael Salema Marques, who wrote the PoC malware to highlight the fact that Macs may not be immune to the threat of ransomware.
Marques shared a sample of the ransomware with Symantec and Apple. Symantec’s analysis has confirmed that the PoC is functional. Marques said he has no intention of publicly releasing the malware.
Mabouia follows the tried-and-tested model used by many ransomware variants of encrypting files on the infected computer and sending the encryption key to a command-and-control (C&C) server. The malware displays payment instructions on the infected computer, including a unique ID the victim would need to use to retrieve a decryption key. This key can potentially be sent to the victim upon payment of a ransom.
In the case of Mabouia, because it’s a proof of concept, it only encrypts files saved in a directory called “ransom”. Most Mac users will not have a directory with this name on their computer.
Norton Security, Symantec Endpoint Protection, and other Symantec security products detect this threat as OSX.Ransomcrypt.