The threat actors behind the LockBit ransomware operation have developed a new artifact that can encrypt files on devices running Apple’s macOS operating system.
Development, that is reported by MalwareHunterTeam over the weekend, apparently for the first time a big game ransomware crew is building a macOS based payload.
Additional samples identified by vx-underground indicates that the macOS variant has been available since November 11, 2022, and has managed to evade detection by the anti-malware engine until recently.
LockBit is a prolific cybercrime crew with links to Russia that has been active since late 2019, with threat actors releasing two major updates to the locker in 2021 and 2022.
According to statistics released by Malwarebytes last week, LockBit emerged as the second most used ransomware in March 2023 after Cl0p, with 93 successful attacks.
Analysis of the new macOS version (“locker_Apple_M1_64″_ reveals that it is still a work in progress, relying on an invalid signature to sign the executable. This also means that Apple’s Gatekeeper protection will prevent it from running even if it is downloaded and launched on the device.
The payload, per security researcher Patrick Wardle, is packaged in files such as autorun.inf and ntuser.dat.log, suggesting that the ransomware sample was originally designed to target Windows.
“While yes it does work on Apple Silicon, basically the extent of impact,” Wardle said. “So macOS users have nothing to worry about…for now!”
Wardle also points out the additional safeguards implemented by Apple, such as System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC) which prevents unauthorized code execution and need application to request user permission to access protected files and data.
“This means that without exploits or explicit user consent, user files will remain protected,” said Wardle. “Still need an extra layer or detection/protection.”
This finding, despite the overall bugginess of the artifacts, is a sure sign that threat actors are increasingly targeting macOS systems.
A LockBit representative has confirmed Computer Sleep that macOS encryption is being “actively developed”, indicating that malware is likely to pose a serious threat to the platform.