First-Ever Ransomware Found to be Attacking macOS

LockBit ransomware gang targets Macs with its newly-developed encryptors for the first time, making them potentially the first significant ransomware group to aim at macOS.

Ransomware attacks are widespread. However, creating malware versions for targeting Macs by attackers is uncommon.

Apple computers, although widely used, have a lower presence compared to other platforms like:-

• Windows
• Linux

MalwareHunterTeam first detected samples of ransomware encryptors in VirusTotal’s malware analysis repository between November and December 2022.

In a recent tweet, MalwareHunterTeam discussed a new LockBit ransomware variant targeting macOS.

LockBit developed an encryptor version for newer Apple processor-based and older Macs that used Apple’s PowerPC chips. 

Technical Analysis

MalwareHunterTeam discovered a ZIP archive on VirusTotal that seemingly includes the majority of available LockBit encryptors.

LockBit operations traditionally employ encryptors created for targeting:-

Apart from this, a specific encryptor called ‘locker_Apple_M1_64’ is aimed at encrypting newer macOS with Apple Silicon.

During the analysis of the LockBit encryptor by the researchers at Objective See for Apple M1, experts discovered misplaced strings that suggest it was rashly assembled as a test and not intended for macOS encryption.

Multiple references to VMware ESXi were found in the Apple M1 encryptor, which is odd since VMware had previously declared that it would not be backing the CPU architecture.

Using the codesign utility, it was determined that the encryptor was signed in an “ad-hoc” manner instead of an Apple Developer ID. 

As a result, macOS would prevent it from running if downloaded onto a system by attackers, which was confirmed by the “invalid signature” message shown by the spctl utility.

The locker_Apple_M1_64 is an arm64 binary that benefits from having its symbols left unstripped, making it more streamlined.

The encryptor excludes 65 Windows file extensions and folders from encryption, specified by their filenames.

Here’s what Patrick Wardle of Objective See stated:-

“The macOS encryptor is a compiled version of the Linux-based encryptor with basic configuration settings. However, upon launching, it crashes due to a buffer overflow bug in the code.”

Although macOS is now on their radar, the encryptor is not yet ready for deployment as it only has basic configuration flags added during compilation for macOS.

Before it can function as an encryptor, the LockBit developer needs to bypass TCC and obtain notarization.

However, LockBitSupp, the public face of LockBit, stated that the Mac encryptor is currently under active development.

Although it is unclear how useful the macOS encryptor would be in enterprise environments, LockBit affiliates targeting small businesses and consumers may find it more useful.

Building Your Malware Defense Strategy – Download Free E-Book