Security researchers are currently scrutinizing recently uncovered samples of Mac ransomware associated with the notorious LockBit gang. This marks the first instance of a prominent ransomware group exploring the creation of malware for macOS.
Ransomware poses a widespread threat, but historically, attackers have not invested effort in developing malware for Macs. This is mainly due to the lower prevalence of Apple computers compared to Windows, Linux, and other operating systems. However, sporadic instances of experimental Mac ransomware have emerged over the years, hinting at the possibility of an escalating risk.
The samples of ransomware encryptors came to light thanks to MalwareHunterTeam, appearing in the malware analysis repository VirusTotal in November and December 2022 but remaining unnoticed until recently. LockBit appears to have crafted versions of the encryptor for both newer Macs equipped with Apple processors and older Macs utilizing Apple’s PowerPC chips.
Researchers emphasize that the LockBit Mac ransomware seems to be more of an initial exploration rather than a fully functional threat. Nevertheless, this tinkering may indicate future intentions, particularly given the increasing use of Macs in businesses and institutions, making them attractive targets for ransomware attackers.
Patrick Wardle, a seasoned Mac security researcher and founder of the Objective-See Foundation, commented, “It’s unsurprising but concerning that a large and successful ransomware group has now set their sights on macOS. It would be naive to assume that LockBit won’t improve and iterate on this ransomware, potentially creating a more effective and destructive version.”
Apple has chosen not to comment on these findings.
LockBit is a ransomware gang based in Russia that emerged in late 2019. The group is notorious for its high number of attacks and its relatively organized and less flamboyant approach compared to some of its cybercriminal peers. However, LockBit is not immune to public attention and aggression. Recently, it garnered significant attention by targeting the United Kingdom’s Royal Mail and a Canadian children’s hospital.
As of now, Wardle notes that LockBit’s macOS encryptors are in a very early stage and have fundamental development issues, such as crashing upon launch. To create effective attack tools, LockBit will need to find ways to bypass macOS protections, including the validity checks that Apple has implemented in recent years for new software on Macs.
Wardle explains, “In some sense, Apple is ahead of the threat, as recent versions of macOS include built-in security mechanisms designed to directly thwart or at least reduce the impact of ransomware attacks. However, well-funded ransomware groups will continue to evolve their malicious creations.”
While developing Mac ransomware may not be the top priority for every attacker, the landscape is evolving. With law enforcement worldwide intensifying efforts to combat ransomware and victims gaining access to resources to avoid paying ransoms, ransomware groups are becoming more desperate to develop new and refined strategies to secure payments.
Thomas Reed, the director of Mac and mobile platforms at antivirus maker Malwarebytes, remarks, “The LockBit encryptor doesn’t appear particularly viable in its current form, but I’ll definitely keep an eye on it. Its viability may improve in the future, or it may not, depending on the success of their tests.”
Nonetheless, for ransomware actors seeking maximum revenue, Macs present an enticing, untapped opportunity.