LockBit crew cooks up half-baked Mac ransomware

Please, no need to fix these problems

LockBit has developed ransomware that can encrypt files on Arm-powered Macs, said to be a first for the prolific cybercrime crew. 

Those behind the MalwareHunterTeam Twitter handle spotted the malware, and in a subsequent VirusTotal screenshot, showed that the binary earlier didn't raise any red flags among antivirus or sandbox vendors. That's now changed as antivirus makers catch up; a bunch of them today flag the software nasty as malicious.

"As much as I can tell, this is the first Apple's Mac devices targeting build of LockBit ransomware sample seen," MHT tweeted over the weekend. "Also is this a first for the 'big name' gangs?"  

Shortly after, VX-Underground released samples of the extortionware, and said the macOS variant has been available since November 11.

"We believe this is the first time a large ransomware threat group has developed a payload for Apple products," the malware archivists noted. 

LockBit, a highly prolific ransomware-as-a-service operation with ties to Russia, has been around since 2019, deploying its malware against high-profile targets in multiple nations. 

According to US prosecutors, this ransomware strain has been deployed against more than 1,000 organizations, and members of the gang have extracted "tens of millions" of dollars in ransom payments.

Though it's not great news for Mac users that a top-tier gang is bringing its malware to the OS – the 64-bit Arm version, at least – there are some caveats to bear in mind.

As infosec maven Patrick Wardle pointed out in his technical analysis of the code, the software nasty uses an invalid digital signature, which means it won't easily run on Apple's desktop operating system even if it's downloaded to a Mac device. 

"While yes it can indeed run on Apple Silicon, that is basically the extent of its impact," Wardle noted. "Thus macOS users have nothing to worry about …for now!"

Similarly, EclecticIQ threat hunter Arda Büyükkaya concluded in his analysis that it's probably just a test binary. 

Still, the fact that LockBit (and likely other ransomware gangs) are working to develop file-scrambling tools for infected Mac devices indicates yet another avenue for cybercriminals to expand their businesses, if not now then in the future.

"While this iteration isn't close to ready for primetime, it's nonetheless an indication that LockBit was, and possibly still is, looking at Macs as a potential target," Emsisoft threat analyst Brett Callow told The Register

"It's worth keeping in mind that if LockBit was to release a functioning encryptor for macOS, other gangs would likely do so, too," he added. "They operate like legitimate businesses in that they copy each other and replicate strategies that are found to work." ®

Send us news

Scores of US credit unions offline after ransomware infects backend cloud outfit

Supply chain attacks: The gift that keeps on giving

Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month

Five Eyes nations warn Moscow's mates at the Star Blizzard gang have new phishing targets

The Russians are coming! Err, they've already infiltrated UK, US inboxes

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

Black Basta ransomware operation nets over $100M from victims in less than two years

Assumed Conti offshoot averages 7 figures for each successful attack but may have issues with, er, 'closing deals'

Europol shutters ransomware operation with kingpin arrests

A few low-level stragglers remain on the loose, but biggest fish have been hooked

BlackCat ransomware crims threaten to directly extort victim's customers

Accounting software firm Tipalti says it’s investigating alleged break-in of its systems

Goldman sacked: Apple 'wants out' of credit card collab

Don't be too shocked: Financial giant has been fleeing normie banking lately after failing to find footing

US readies prison cell for another Russian Trickbot developer

Hunt continues for the other elusive high-ranking members

Fancy Bear goes phishing in US, European high-value networks

GRU-linked crew going after our code warns Microsoft - Outlook not good

Hershey phishes! Crooks snarf chocolate lovers' creds

Stealing Kit Kat maker's data?! Give me a break

British Library begins contacting customers as Rhysida leaks data dump

CRM databases were accessed and library users are advised to change passwords