Security researchers have discovered a new LockBit ransomware that’s designed to target macOS devices. The MalwareHunterTeam detailed on Twitter that the malware enables threat actors to encrypt files stored on Arm-powered Macs.
LockBit is a Russian-based group that has historically targeted Windows PCs, Linux, and virtual host machines. The gang has been running ransomware-as-a-service (RaaS) operations since 2019. Over the years, the LockBit group has deployed its malware against many high-profile targets in several countries.
Interestingly, Twitter user vx-underground found that the macOS variant of the LockBit ransomware has been available since November 2022. The malware has infected around 1,000 organizations worldwide. Security researchers believe that the LockBit gang managed to steal tens of millions of dollars from the victims.
Apple security expert Patrick Wardle has performed a detailed analysis of the macOS version of LockBit. He found that the malware can encrypt files on macOS, but it currently doesn’t pose any real threat. Wardle also pointed out that LockBit uses an invalid digital signature, and it can’t run easily on a Mac device. The built-in security features (such as System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC)) will help to significantly reduce its impact.
“While this may be the first time a large ransomware group created ransomware capable of running on macOS, it’s worth noting that this sample is far from ready for prime time. From its lack of a valid code-signing signature to its ignorance of TCC and other macOS file-system protections as it stands it poses no threat to macOS users,” Wardle explained.
Emsisoft threat analyst Brett Callow explained that the LockBit ransomware for Mac is currently in its early development stages. Moreover, he confirmed that there is no evidence it has been exploited in the wild. “It is, however, an indication that LockBit is, or at least was, thinking about Macs,” Callow said.