LockBit Ransomware for Apple’s Macs

Security experts are examining newly discovered ransomware samples that were created by the notorious gang LockBit Ransomware for Macs, which marks the first known example of a prominent ransomware group experimenting with macOS versions of its malware. While ransomware is a common threat, attackers typically do not create versions of their malware to target Macs, which are much less prevalent than computers running Windows, Linux, and other operating systems. However, the emergence of experimental Mac ransomware samples over the years has created a sense that the risk could escalate at any moment.

The LockBit Mac ransomware samples were first spotted by MalwareHunterTeam in November and December 2022 in the malware analysis repository VirusTotal, but they went unnoticed until recently. Researchers say that LockBit’s Mac ransomware appears to be more of a first attempt than a fully functional and ready-to-use version, but it could indicate future plans, especially given that more businesses and institutions are incorporating Macs. It is concerning that a large and successful ransomware group like LockBit has set its sights on macOS, as they may improve and iterate on this ransomware to create a more effective and destructive version.

LockBit operations traditionally employ encryptors created for targeting:-

• Windows
• Linux
• VMware ESXi servers

Apart from this, a specific encryptor called ‘locker_Apple_M1_64’ is aimed at encrypting newer macOS with Apple Silicon.

During the analysis of the LockBit encryptor by the researchers at Objective See for Apple M1, experts discovered misplaced strings that suggest it was rashly assembled as a test and not intended for macOS encryption.

Multiple references to VMware ESXi were found in the Apple M1 encryptor, which is odd since VMware had previously declared that it would not be backing the CPU architecture.

Using the codesign utility, it was determined that the encryptor was signed in an “ad-hoc” manner instead of an Apple Developer ID.

As a result, macOS would prevent it from running if downloaded onto a system by attackers, which was confirmed by the “invalid signature” message shown by the spctl utility.

The locker_Apple_M1_64 is an arm64 binary that benefits from having its symbols left unstripped, making it more streamlined.

The encryptor excludes 65 Windows file extensions and folders from encryption, specified by their filenames.

“The macOS encryptor is a compiled version of the Linux-based encryptor with basic configuration settings. However, upon launching, it crashes due to a buffer overflow bug in the code.”

Before it can function as an encryptor, the LockBit developer needs to bypass TCC and obtain notarization.

However, LockBitSupp, the public face of LockBit, stated that the Mac encryptor is currently under active development.

Although it is unclear how useful the macOS encryptor would be in enterprise environments, LockBit affiliates targeting small businesses and consumers may find it more useful.

Apple declined to comment on the findings. LockBit is a Russia-based ransomware gang known for its sheer volume of attacks and its well-organized and less ostentatious approach compared to some of its peers in the cybercriminal landscape, although it has recently targeted high-profile organizations like the United Kingdom’s Royal Mail and a Canadian children’s hospital.

Wardle has observed that LockBit’s macOS encryptors are in an early phase and still have fundamental development issues such as crashing on launch. To create effective attack tools, LockBit needs to find ways to circumvent macOS protections, including validity checks that Apple has added in recent years for running new software on Macs. Although recent versions of macOS ship with numerous built-in security mechanisms aimed at thwarting or at least reducing the impact of ransomware attacks, well-funded ransomware groups will continue to evolve their malicious creations.

While developing Mac ransomware may not be the highest priority on every attacker’s to-do list, the field is shifting as law enforcement worldwide pushes to counter attacks, and victims increasingly have input and resources available to avoid paying. As a result, ransomware gangs are becoming more desperate for new or refined strategies that will help them get paid. The current form of the LockBit encryptor does not appear particularly viable, but experts like Thomas Reed, director of Mac and mobile platforms at antivirus maker Malwarebytes, are keeping an eye on it. For ransomware actors looking to generate as much revenue as possible, Macs are a potentially appealing untilled field.