LockBit macOS ransomware strain discovered, sparks concerns over shifting tactics

The first recorded instance of LockBit targeting Mac users has been revealed in what appears to be a shifting approach by the infamous ransomware gang. 

Researchers at MalwareHunterTeam uncovered a ZIP archive on VirusTotal that was found to contain encryptors for devices running macOS. 

MalwareHunterTeam revealed the discovery in a series of tweets at the weekend, highlighting encryptors named ‘locker_Apple_M1_64’ alongside lockers for Linux and ARM. 

 This particular encryptor was found to target new versions of Mac devices currently running Apple Silicon. 

The VirusTotal archive examined by researchers was also found to contain encryptors for CPUs used on older Mac devices. 

In a blog post dissecting the discovery, security researcher Patrick Wardle said that the novel malware marks the first instance of a ransomware group developing a payload for Apple products. 

Following a period of initial scrutiny and skepticism, vx-underground, which compiles malware source code and samples, tweeted that the LockBit macOS ransomware “is real” and that the gang had confirmed development of the strain. 

The discovery highlights a potential shift in approach by LockBit, which has typically targeted Windows and Linux-based devices. 

LockBit has been among the most prolific ransomware gangs to ever exist, and was most recently responsible for the attack on Royal Mail which caused significant service disruption. 

It has also been the most prolific groups in terms of number of successful attacks for years now, but was overtaken in March by Cl0p following the GoAnywhere MFT breaches.

Although researchers highlighted that the disclosure of this macOS encryptor should be a cause for concern, at present there is little to no risk of users being compromised. 

“While yes it can indeed run on Apple Silicon, that is basically the extent of its impact,” Wardle wrote in his blog post. “Thus macOS users have nothing to worry about…for now.”

Wardle suggested that the strain is “far from ready for prime time”, noting that the strain is “rather buggy” and contains notable flaws that will cause it to prematurely exit when run on macOS. 

“From its lack of a valid code-signing signature to its ignorance of TCC and other macOS file-system protections, as it stands it poses no threat to macOS users,” he wrote.

The macOS variant of LockBit’s ransomware payload was also dated 17 November 2022, meaning the discovery has taken some time to unearth. 

LockBit confirmed to BleepingComputer that the strain is under active development.

Due to many organisations preferring Windows-based computers for their workforce rather than Macs or even Linux-based machines, ransomware groups have usually developed their payloads that could affect the widest pool of targets. 

LockBit’s is not the first ransomware program to be written for macOS, but such strains are certainly less common than those that target Windows. 

Regardless, Apple has been “fairly proactive” when it comes to securing its computers against ransomware, Wardle said. 

Implementing measures such as system integrity protection (SIP) and read-only system volumes offer protections that mean even if a Mac was infected with a ransomware payload, it would be difficult for it to affect OS-level files as a result.

Apple has also introduced transparency, consent, and control (TCC) protections too, which means files in protected locations either require the user’s manual approval or a vulnerability exploit in order to affect, Wardle said.

The development of LockBit’s macOS ransomware strain may still be in its infancy and riddled with bugs, but the industry will be alarmed by the discovery given the group’s standing in the cyber criminal space, perhaps indicating a new trend in ransomware.