Security researchers are examining newly discovered Mac ransomware samples from the notorious LockBit gangmarking the first known example of a prominent ransomware group tinkering with macOS versions of its malware.
Ransomware is a ubiquitous threat, but attackers typically don’t bother creating versions of their malware to target Macs. That’s because Apple computers, while popular, are much less prevalent than those running Windows , Linux and other operating systems. Over the years, however, seemingly experimental Mac ransomware samples have surfaced. cut to couple timescreating the feeling that the risk could escalate at any time.
Detected by MalwareHunterTeam, the ransomware ransomware samples appear to have first appeared in the VirusTotal malware analysis repository in November and December 2022, but went unnoticed until yesterday. LockBit appears to have created both a version of the encryptor aimed at newer Macs running Apple processors and older Macs running on Apple’s PowerPC chips.
Researchers say LockBit Mac ransomware appears to be more of a first foray than anything fully functional out of the box. But the tweaks could indicate future plans, especially as more companies and institutions have been onboarding Macs, which could make it more attractive for ransomware attackers to invest time and resources so they can target Apple computers.
“It’s not surprising, but it’s concerning that a large and successful ransomware group has now set its sights on macOS,” says Patrick Wardle, longtime Mac security researcher and founder of the Objective-See Foundation. “It would be naive to assume that LockBit will not improve or repeat this ransomware, potentially creating a more effective and destructive version.”
Apple declined to comment on the findings.
LockBit is a Russia-based ransomware gang that emerged in late 2019. The group is best known for its high volume of attacks and for appearing well-organized and less flashy and understated than some of its peers in the cybercrime landscape. But LockBit is not immune to arrogance and public aggression. In particular, he has drawn significant attention to himself in recent months for pointing to the UK Royal Mail and a Canadian children’s hospital.
For now, Wardle points out that LockBit’s macOS encryptors appear to be in a very early stage and are still in fundamental development. affairs like crashing on launch. And to create truly effective attack tools, LockBit will need to figure out how to bypass macOS protections, including sanity checks that Apple has added in recent years to run new software on Macs.
“In a sense, Apple is ahead of the threat, as recent versions of macOS ship with a myriad of built-in security mechanisms intended to directly thwart, or at least reduce the impact of ransomware attacks,” Wardle says. . “However, well-funded ransomware groups will continue to develop their malicious creations.”
Developing Mac ransomware may not be the top priority on every attacker’s to-do list, but the field is changing. As law enforcement around the world pushes to counter attacks, and victims have more and more information and resources available to avoid paying, ransomware gangs are more and more desperate for new or refined strategies that help them get paid.
“The LockBit encryptor doesn’t seem particularly viable in its current form, but I’ll definitely be keeping an eye on it,” says Thomas Reed, director of Mac and mobile platforms at antivirus maker Malwarebytes. “Viability may improve in the future. Or maybe not, if your tests aren’t promising.”
Still, for ransomware actors looking to generate as much revenue as possible, Macs are a potentially attractive uncultivated field.