Security researchers are examining newly discovered Mac ransomware samples from the notorious gang LockBit, marking the first known example of a prominent ransomware group toying with macOS versions of its malware.
Ransomware is a pervasive threat, but attackers typically don’t bother creating versions of their malware to target Macs. That’s because Apple’s computers, while popular, are much less prevalent than those running Windows, Linux, and other operating systems. Over the years, though, samples of seemingly experimental Mac ransomware have cropped up a couple of times, creating a sense that the risk could escalate at any moment.
Spotted by MalwareHunterTeam, the samples of ransomware encryptors seem to have first cropped up in the malware analysis repository VirusTotal in November and December 2022, but went unnoticed until yesterday. LockBit seems to have created both a version of the encryptor targeting newer Macs running Apple processors and older Macs that ran on Apple’s PowerPC chips.
Researchers say the LockBit Mac ransomware appears to be more of a first foray than anything that’s fully functional and ready to be used. But the tinkering could indicate future plans, especially given that more businesses and institutions have been incorporating Macs, which could make it more appealing for ransomware attackers to invest time and resources so they can target Apple computers.
“It’s unsurprising but concerning that a large and successful ransomware group has now set their sights on macOS,” says longtime Mac security researcher and Objective-See Foundation founder Patrick Wardle. “It would be naive to assume that LockBit won’t improve and iterate on this ransomware, potentially creating a more effective and destructive version.”
Apple declined to comment on the findings.
LockBit is a Russia-based ransomware gang that emerged at the end of 2019. The group is most known for its sheer volume of attacks, and for appearing well-organized and being less ostentatious and sophomoric than some of its peers in the cybercriminal landscape. But LockBit isn’t immune from arrogance and public aggression. Notably, it called significant attention to itself in recent months by targeting the United Kingdom’s Royal Mail and a Canadian children’s hospital.
For now, Wardle notes that LockBit’s macOS encryptors seem to be in a very early phase and still have fundamental development issues like crashing on launch. And to create truly effective attack tools, LockBit will need to figure out how to circumvent macOS protections, including validity checks that Apple has added in recent years for running new software on Macs.
“In some sense, Apple is ahead of the threat, as recent versions of macOS ship with a myriad of built-in security mechanisms aimed to directly thwart, or at least reduce the impact of, ransomware attacks,” Wardle says. “However, well-funded ransomware groups will continue to evolve their malicious creations.”
Developing Mac ransomware may not be the highest priority on every attacker’s to-do list, but the field is shifting. As law enforcement worldwide pushes to counter attacks, and victims increasingly have input and resources available to avoid paying, ransomware gangs are getting more desperate for new or refined strategies that will help them get paid.
“The LockBit encryptor doesn’t look particularly viable in its current form, but I’m definitely going to be keeping an eye on it,” says Thomas Reed, director of Mac and mobile platforms at the antivirus maker Malwarebytes. “The viability may improve in the future. Or it may not, if their tests aren’t promising.”
Still, for ransomware actors looking to generate as much revenue as possible, Macs are a potentially appealing untilled field.