Chris Swagler | April 27th, 2023

The LockBit ransomware group created its first encryptors that target Apple computers, becoming the first major ransomware operation to specifically target macOS. A cybersecurity researcher uncovered the new ransomware encryptors after discovering a ZIP archive on VirusTotal that contains what looks to be the majority of the available LockBit encryptors. LockBit has traditionally used encryptors developed for attacks on Windows, Linux, and VMware ESXi systems. The collection VirusTotal did contain previously undiscovered encryptors for macOS, ARM, FreeBSD, MIPs, and SPARC CPUs. One of the encryptors is “locker_Apple_M1_64” [VirusTotal], which targets newer Macs operating on Apple Silicon. The repository includes lockers for PowerPC CPUs, which are used by older Macs. Further investigation by a cybersecurity researcher discovered an Apple M1 encryptor submitted to VirusTotal in December 2022, indicating that the samples have been circulating for some time.

Strings in the LockBit encryptor for Apple M1 were examined and discovered strings that are out of place in a macOS encryptor, implying that the strings were likely slapped together carelessly in a test. There are multiple references to VMware ESXi, which is out of place in an Apple M1 encryptor because VMare indicated they would no longer support the CPU architecture. Additionally, the encryptor includes sixty-five file extensions and filenames that aren’t encrypted, which all are Windows file extensions and folders. The following is a list of Windows files that the Apple M1 encryptor won’t encrypt, which all are out of place on a macOS device.

  • .exe
  • .bat
  • .dll
  • msstyles
  • gadget
  • winmd
  • ntldr
  • dat.log
  • bak
  • inf
  • db
  • db

Almost all the ESXi and Windows strings in the MIPs and FreeBSD encryptors indicate that they share a codebase. The encryptors are unlikely to be ready for use in actual attacks against macOS devices. According to one researcher, the encryptors were designed as a test and never intended for deployment in live cyberattacks. A macOS cybersecurity expert confirmed Cisco’s theory that they’re in development test builds, adding that the encryptor is far from complete and lacks the necessary capability to fully encrypt Macs. The macOS encryptor is based on the Linux and compiled for macOS with basic configuration settings. Additionally, when the macOS encryptor is launched, it crashes because of a buffer bug in the code. The LockBit developer needed to figure out how to bypass TCC, and get notarized before becoming a functional encryptor.

Even though Windows has been the most targeted operating system in ransomware attacks, nothing stops developers from developing ransomware for Macs. However, with the LockBit operation’s reputation for pushing the boundaries of ransomware development, it wouldn’t be remarkable if more complex and optimized encryptors for the CPU architectures were released in the future. All computer users, including Mac users, should follow good online security habits, including updating operating systems, not opening unknown attachments and executables, creating offline backups, and using strong and unique passwords at all sites users visit. LockBitSupp, LockBit’s public-facing representative, stated that the Mac encryptor is actively being developed.

With LockBit being known for messing with security researchers and the media, more production-quality versions are likely in the future. Additionally, even though it’s unclear how effective a macOS encryptor would be in large companies, some LockBit affiliates are targeting clients and small companies where an encryptor can be more useful. That’s why it’s important for companies to always be vigilant of the latest threat landscape and regularly update their operating systems’ security infrastructure.

At SpearTip, our certified engineers are working continuously at our 24/7/365 Security Operations Center monitoring companies operating systems, including Macs, for potential ransomware threats. With our pre-breach advisory services, our engineers will examine companies’ security posture to improve the weak point in their networks. Additionally, our team will engage with companies’ people, processes, and technology to measure the maturity of their technical environments. With all vulnerabilities uncovered, our experts will provide technical roadmaps ensuring companies have the awareness and support to optimize their overall security posture. The ShadowSpear Platform, our integrable managed detection and response tool, allows our engineers to detect advanced and unknown sophisticated ransomware threats through comprehensive insights using unparalleled data normalization.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.