Security

LockBit crew cooks up half-baked Mac ransomware

Please, no need to fix these problems


LockBit has developed ransomware that can encrypt files on Arm-powered Macs, said to be a first for the prolific cybercrime crew. 

Those behind the MalwareHunterTeam Twitter handle spotted the malware, and in a subsequent VirusTotal screenshot, showed that the binary earlier didn't raise any red flags among antivirus or sandbox vendors. That's now changed as antivirus makers catch up; a bunch of them today flag the software nasty as malicious.

"As much as I can tell, this is the first Apple's Mac devices targeting build of LockBit ransomware sample seen," MHT tweeted over the weekend. "Also is this a first for the 'big name' gangs?"  

Shortly after, VX-Underground released samples of the extortionware, and said the macOS variant has been available since November 11.

"We believe this is the first time a large ransomware threat group has developed a payload for Apple products," the malware archivists noted. 

LockBit, a highly prolific ransomware-as-a-service operation with ties to Russia, has been around since 2019, deploying its malware against high-profile targets in multiple nations. 

According to US prosecutors, this ransomware strain has been deployed against more than 1,000 organizations, and members of the gang have extracted "tens of millions" of dollars in ransom payments.

Though it's not great news for Mac users that a top-tier gang is bringing its malware to the OS – the 64-bit Arm version, at least – there are some caveats to bear in mind.

As infosec maven Patrick Wardle pointed out in his technical analysis of the code, the software nasty uses an invalid digital signature, which means it won't easily run on Apple's desktop operating system even if it's downloaded to a Mac device. 

"While yes it can indeed run on Apple Silicon, that is basically the extent of its impact," Wardle noted. "Thus macOS users have nothing to worry about …for now!"

Similarly, EclecticIQ threat hunter Arda Büyükkaya concluded in his analysis that it's probably just a test binary. 

Still, the fact that LockBit (and likely other ransomware gangs) are working to develop file-scrambling tools for infected Mac devices indicates yet another avenue for cybercriminals to expand their businesses, if not now then in the future.

"While this iteration isn't close to ready for primetime, it's nonetheless an indication that LockBit was, and possibly still is, looking at Macs as a potential target," Emsisoft threat analyst Brett Callow told The Register

"It's worth keeping in mind that if LockBit was to release a functioning encryptor for macOS, other gangs would likely do so, too," he added. "They operate like legitimate businesses in that they copy each other and replicate strategies that are found to work." ®

Send us news
8 Comments

Ransomware isn't always about the money: Government spies have objectives, too

Analysts tell El Reg why Russia's operators aren't that careful, and why North Korea wants money AND data

Triplestrength hits victims with triple trouble: Ransomware, cloud hijacks, crypto-mining

These crooks have no chill

Chinese spies suspected of 'moonlighting' as tawdry ransomware crooks

Some employees steal sticky notes, others 'borrow' malicious code

Apple plugs security hole in its iThings that's already been exploited in iOS

Cupertino kicks off the year with a zero-day

Another banner year for ransomware gangs despite takedowns by the cops

And it doesn't take a crystal ball to predict the future

SLAP, Apple, and FLOP: Safari, Chrome at risk of data theft on iPhone, Mac, iPad Silicon

It's another cousin of Spectre, here to read your email, browsing history, and more

What does it mean to build in security from the ground up?

As if secure design is the only bullet point in a list of software engineering best practices

Watchdog ponders why Apple doesn't apply its strict app tracking rules to itself

Germany's Federal Cartel Office voices concerns iPhone maker may be breaking competition law

If Ransomware Inc was a company, its 2024 results would be a horror show

35% drop in payments across the year as your backups got better and law enforcement made a difference

UK, US, Oz blast holes in LockBit's bulletproof hosting provider Zservers

Huge if true: Brit Foreign Sec says Putin running a 'corrupt mafia state'

Crimelords and spies for rogue states are working together, says Google

Only lawmakers can stop them. Plus: software needs to be more secure, but what's in it for us?

I'm a security expert, and I almost fell for a North Korea-style deepfake job applicant …Twice

Remote position, webcam not working, then glitchy AI face ... Red alert!