Quick Q&A with the Author of Mabouia, First Mac OS X Ransomware

Share this…

Rafael Salema Marques is a Brazilian cyber-security researcher and, above all, a devoted Mac user. Today, Mr. Marques published a LinkedIn blog post and proof-of-concept video on YouTube, detailing a fully functional Mac OS X ransomware piece that works just like its more dangerous Windows counterparts.

But don’t panic, Mr. Marques did not release his ransomware out on the Internet, nor does he plan to. For now, it’s safely stored on his computer, and the only proof it exists is a YouTube video embedded at the end of this article.

When we saw his video, we contacted Mr. Marques and asked him to answer some of our and yours most pressing questions.

Why did you develop it?

RSM: I’m a cyber-security researcher and Mac user. I did it to alert the 66 million users of Mac OS X about the myth that there is no malware aimed at Apple’s personal computers.

Most security researchers who do this kind of “research malware” usually open-source their work. Why didn’t you?

RSM: It’s a simple code, nothing special at all… Furthermore, ransomware malicious code is simple in its essence. Lists files, encrypts them, and at the end sends a key to the C&C server. Simple as that.

I did not release the code because it can be used to create production ransomware by skiddies, and this wasn’t the purpose of the code.

Does Mabouia have any weak points? If it ever infected your computer, are you scared of not being able to recover your own data?

RSM: I developed it in a secure environment, so if all goes wrong, no problem at all. I used an XTEA algorithm with 32 rounds to encrypt the files. I believe that an ordinary user would have a hard time breaking this encryption today. If I accidentally run the malware and lost the key, probably, I will not rescue my files.

Has an Apple representative contacted you and asked for more details on your work?

RSM: They’ve contacted me informally on Twitter. Anyway, I sent the sample to Apple’s Mac Threat Research Team.

Any advice for regular users regarding ransomware?

RSM: The best way to prevent ransomware IMHO is to make regular backups.

While browser-based ransomware has hit Apple users in the past, as Kaspersky andMalwarebytes have previously reported, Mr. Marques’ Mabouia (tropical house gecko) is the first-ever ransomware strain targeting Mac users alone.

There’s also this fake Web page, where Mabouia’s fictitious users can go and pay the ransom.