Security researchers find LockBit ransomware can target macOS devices


MalwareHunterTeam, a cybersecurity researcher, discovered a ransomware encryptor targeting macOS devices created by the LockBit gang. The notorious gang has a history of using encryptors designs for attacks on Windows, Linus and VMware ESXi servers. This is the first time they created an encryptor specifically targeted at macOS, and MalwareHunterTeam found this in a ZIP archive on VirusTootal.

The archive contained previously unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs, however, there is one encryptor named ‘locker_Apple_M1_64’ that target the newer Macs running on Apple Silicon. Lockers for PowerPC CPUs, which older Macs use, are also found in the archive. Florian Roth, a cybersecurity researcher, found an Apple M1 encryptor uploaded to VirusTotal in December 2022, indicating that these samples have been floating around for some time.

Further research and analysis by BleepingComputer and Cisco Talos confirm that most of the strings in the LockBit encryptor for Apple M1 are out of place in the macOS encryptor and could be meant as a test and never intended for deployment in live cyberattacks. They agreed that almost all of the ESXi and Windows strings are also present in the MIPs and FreeBSD encryptors, indicating that they use a shared codebase.

Patrick Wardle, a macOS cybersecurity expert, stated that the encryptor is far from complete, as it is missing the required functionality to encrypt Macs properly. He believed that the macOS encryptor is based on the Linux version and compiled for macOS with some basic configuration settings.

The good news is that these encryptors are likely not ready for deployment in an actual attack against macOS devices, and the bad news is while Windows has been the most targeted operating system in ransomware attacks, nothing prevents developers from creating ransomware that targets Macs. LockBit gang operation is notably one of the sophisticated ransomware attacks.

A recent update by the public-facing representative of LockBit, known as LockBitSupp, reveals that the Mac encryptor is actively being developed. While it's not clear how far they have gone in the development, security experts advised computer users, including Mas owners, to practise good online safety habits, including keeping the operating system updated, avoiding opening unknown attachments, generating offline backups, and using strong and unique passwords at every site you visit.