LockBit ransomware may target Mac devices

The LockBit ransomware gang is targeting Mac devices with its malware. The group has an infamous track record for attacking Windows, Linux, and virtual host machines such as VMware ESXi.

LockBit ransomware for Mac payload spotted by experts

The Mac version of LockBit was spotted by the folks at MalwareHunterTeam. The archive that they analyzed contained a file that was called Locker_Apple_M1_64, which suggests that the ransomware is targeting Apple Silicon M1 systems.

The security experts investigated a sample of the malware's archive, which was uploaded to VirusTotal on March 20th of this year. The findings also revealed that a LockBit ransomware for PowerPC Macs exists. Security researcher, Florian Roth, spotted an earlier report of the malware from December 2022. Vx-underground, which hosts malware source code and samples, also confirmed that the first payload of LockBit ransomware for Mac has surfaced online. The analysts also pointed out that the Mac ransomware has actually existed for about 6 months, since November 2022.

Security researchers say that the ransomware is not ready for deployment

Numerous reports from other security researchers claim that the LockBit ransomware for Macs is likely a test version. Azim Khodjibaev of Cisco Talos stated that their research suggests that the ransomware is not ready for deployment.

Patrick Wardle, another macOS security expert, echoed the sentiment, saying that the encryptor is not in a completed form. He mentioned that the Mac malware is a basic version based on the Linux build, and doesn't run easily on macOS. In case you didn't know, ransomware tools encrypts the data on impacted computers. LockBit's current Mac version is also not capable of bypassing TCC (Transparency, Consent, and Control) in macOS. The researcher also explained in a blog post that the malware crashes due to a bug in its code. A snippet of the ransomware contained strings related to Windows artifacts, which shows that the code was originally written for Windows. Some of these strings were shared among other versions that targeted other platforms, meaning that the malware has a shared codebase. Wardle says that in its current form, the malware cannot infect macOS, and that users do not need to be worried about the safety of their Macs.

Brett Callow, a threat analyst at Emisoft, also chimed in, saying that there is no evidence to indicate that LockBit's macOS variant has been used in a cyberattack. But he acknowledged the fact that the hackers compiling a macOS version does show their intention of targeting Macs.

This was later confirmed by LockBitSupp, a representative of the ransomware gang, who told BleepingComputer that the group is indeed working on a version for Mac. So, while that may sound, there is no reason to panic right now, as the malware isn't ready yet. LockBit has offered its services to other attackers via its ransomware-as-a-service (RaaS) model, so it is possible that some cybercriminals could use it to target Mac users.

A few months ago, the LockBit ransomware gang released a free decryptor for a children’s hospital in Canada, after a "rogue member" attacked the healthcare organization. While we are talking about security stuff, a recent report by Citizen Lab and Microsoft revealed details about how a Pegasus-like spyware called Reign was used for targeted attacks on iPhones.

Advertisement