Owners and users of Mac computers do not usually suffer from the security problems that those of other computers have. Especially those who use the Windows operating system. But they are not so sure anymore, because experts from MalwareHunterTeam have identified what appears to be the first instance of ransomware specifically targeting macOS computers: a lockbit version.
Apparently, this version of the ransomware can attack all Mac models, from those dating back to the 1990s using PowerPC processors to the latest machines with M1 chips. Everything indicates that it has been developed by hackers of Russian origin, who are in charge of managing and directing LockBit’s attacks through a ransomware-as-a-service business.
“locker_Apple_M1_64”: 3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79
As much as I can tell, this is the first Apple’s Mac devices targeting build of LockBit ransomware sample seen…
Also is this a first for the “big name” gangs?
?@patrickwardle
DC @cyb3rops pic.twitter.com/SMuN3Rmodl— MalwareHunterTeam (@malwrhunterteam) April 15, 2023
This service works by licensing the group’s ransomware to third parties, so that any group or attacker who gets hold of them can buy and deploy their attack system with one click. Of course, although the majority of the group that has developed LockBit has Russian as its language, its leader apparently operates from China or the United States.
The Mac version of LockBit is typical malware that locks and encrypts a user’s files, then demands a ransom to decrypt them. If the victim doesn’t pay, they threaten to release the files for anyone to access, or sell them to the highest bidder.
LockBit can not only attack individual machines, since if they are connected to a network, it can spread to other computers that are on it. Due to its design, until now it has been used mainly with large companies and government entities, rather than with individual users. The potential ransoms that large entities can pay are higher, hence its scarce use with personal networks and small companies. The same is true of the damage they can do: it is much greater in large corporations and governments.
The twist that a version of LockBit for Mac implies seems to imply an extension of its strategy, since the use of Mac computers is not the majority, except in very specific companies. In any case, it seems that this is not the first time versions of this ransomware have appeared for Mac. Apparently, it was first discovered last November, but it has remained largely unnoticed until now. This may be because the software was then in the third-party shipping phase or simply in testing.
According to Bleeping Computer, in a zip file uploaded to Virustotal, all Mac ciphers were included. Although BitLocker only attacked Windows and Linux computers and virtual machines until now, the list of files in the aforementioned ZIP file included variants for MacOS, ARM , FreeBSD, MIPS, and Sparc CPUs.
Despite the appearance of this version of BitLocker for Mac, it seems that the owners of these computers do not have much to worry about in the short term, because it seems that the files in the archive are not ready to be deployed in attacks against computers with MacOS. Apparently, these encryptors appear to be either a test or still in development, because they lack the necessary functionality to successfully encrypt Macs to begin with.
According to him cybersecurity expert Patrick Wardle, these versions of LockBit seem to be based on the ones for Linux, and then compiled for MacOS with some basic configuration settings. But it is not the only deficiency or problem that they have because apparently, when the encryptor for macOS is released, it fails due to a bug of buffer overflow in your code.
