LockBit crew cooks up half-baked Mac ransomware

LockBit has developed ransomware that can encrypt files on Arm-powered Macs, said to be a first for the prolific cybercrime crew. 

Those behind the MalwareHunterTeam Twitter handle spotted the malware, and in a subsequent VirusTotal screenshot, showed that the binary earlier didn't raise any red flags among antivirus or sandbox vendors. That's now changed as antivirus makers catch up; a bunch of them today flag the software nasty as malicious.

"As much as I can tell, this is the first Apple's Mac devices targeting build of LockBit ransomware sample seen," MHT tweeted over the weekend. "Also is this a first for the 'big name' gangs?"  

Shortly after, VX-Underground released samples of the extortionware, and said the macOS variant has been available since November 11.

"We believe this is the first time a large ransomware threat group has developed a payload for Apple products," the malware archivists noted. 

LockBit, a highly prolific ransomware-as-a-service operation with ties to Russia, has been around since 2019, deploying its malware against high-profile targets in multiple nations. 

According to US prosecutors, this ransomware strain has been deployed against more than 1,000 organizations, and members of the gang have extracted "tens of millions" of dollars in ransom payments.

Though it's not great news for Mac users that a top-tier gang is bringing its malware to the OS – the 64-bit Arm version, at least – there are some caveats to bear in mind.

As infosec maven Patrick Wardle pointed out in his technical analysis of the code, the software nasty uses an invalid digital signature, which means it won't easily run on Apple's desktop operating system even if it's downloaded to a Mac device. 

"While yes it can indeed run on Apple Silicon, that is basically the extent of its impact," Wardle noted. "Thus macOS users have nothing to worry about …for now!"

• LockBit brags: We'll leak thousands of SpaceX blueprints stolen from supplier
• LockBit's Royal Mail ransom deadline flies by. No data released
• Update now: Google emits emergency fix for zero-day Chrome vulnerability
• US cyber chiefs warn AI will help crooks, China develop nastier cyberattacks faster

Similarly, EclecticIQ threat hunter Arda Büyükkaya concluded in his analysis that it's probably just a test binary. 

Still, the fact that LockBit (and likely other ransomware gangs) are working to develop file-scrambling tools for infected Mac devices indicates yet another avenue for cybercriminals to expand their businesses, if not now then in the future.

"While this iteration isn't close to ready for primetime, it's nonetheless an indication that LockBit was, and possibly still is, looking at Macs as a potential target," Emsisoft threat analyst Brett Callow told The Register. 

"It's worth keeping in mind that if LockBit was to release a functioning encryptor for macOS, other gangs would likely do so, too," he added. "They operate like legitimate businesses in that they copy each other and replicate strategies that are found to work." ®