LockBit ransomware for Macs surfaces - 9to5Mac
LockBit ransomware gang appears to be targeting Macs for the first time
Avatar for Michael Potuck
Michael Potuck
| Apr 16 2023 - 7:38 am PT
12 Comments
Apple reportedly introduced major under-the-hood security updates to macOS this year
Over the last several years, LockBit has become one of the most powerful ransomware gangs. While it has focused on Windows, Linux, and virtual host machines, it looks like the group has developed its first ransomware for Macs.
Discovered by MalwareHunterTeam (via Brett Callow), what seems to be the first ransomware build designed for macOS has surfaced on the web. While it’s not fully clear, it may also be the first time a major ransomware gang is targeting Apple devices.
As a bit of background, LockBit is believed by security analysts to be a Russian-based group as most of the members are Russian-speaking. However, the leader has said he operates out of the US or China.
LockBit has grown as it runs a ransomware-as-a-service (RaaS) operation. That approach means the group lets others use their ransomware – for a price.
It looks like this LockBit ransomware was created for Apple Silicon Macs with the build name being “locker_Apple_M1_64.”
While infosec Twitter account vx-underground mentioned the appearance of this LockBit ransomware for Mac showing up in one place with a date of November 2022, MalwareHunterTeam says they haven’t found any mentions of it online and I found the same, so it appears it may have gone under the radar until now if it was around since last fall.
In any case, MalwareHunterTeam believes this is the first public alert about LockBit going after Apple devices. And with the gang’s RaaS approach, it’s possible we could see an incoming wave of ransomware attacks targeting Macs.
Not a single person I can find tweeted LockBit has a Mac targeting version before I did above yesterday, nor can find any blog posts mentioning it, etc. So even if the gang had the first build in 2022 November, for public, this is not late at all, but even yet, seems the first… pic.twitter.com/4iR71cuLpo
— MalwareHunterTeam (@malwrhunterteam) April 16, 2023
Curiously, while the M1 ransomware build may grab the most attention, a LockBit ransomware build is also showing up for PowerPC Macs.
Anyway, the archive in which this sample was included shown bundled date as March 20.
And they even have PowerPC builds…
— MalwareHunterTeam (@malwrhunterteam) April 16, 2023
Speaking with Wired earlier this year, Jon DiMaggio from Analyst1 shared that one of the reasons LockBit has grown so powerful is its leader’s business savvy.
“They are the most notorious ransomware group, because of sheer volume. And the reason for their success is that the leader is a good businessman,” says Jon DiMaggio, chief security strategist at Analyst1 who has studied LockBit’s operations extensively. “It’s not that he’s got this great leadership capability. They made a point-and-click ransomware that anyone could use, they update their software, they’re constantly looking for user feedback, they care about their user experience, they poach people from rival gangs. He runs it like a business, and because of that, it is very, very attractive to criminals.”
Avatar for Michael Potuck
Michael Potuck
| Apr 16 2023 - 7:38 am PT
12 Comments
Apple reportedly introduced major under-the-hood security updates to macOS this year
Over the last several years, LockBit has become one of the most powerful ransomware gangs. While it has focused on Windows, Linux, and virtual host machines, it looks like the group has developed its first ransomware for Macs.
Discovered by MalwareHunterTeam (via Brett Callow), what seems to be the first ransomware build designed for macOS has surfaced on the web. While it’s not fully clear, it may also be the first time a major ransomware gang is targeting Apple devices.
As a bit of background, LockBit is believed by security analysts to be a Russian-based group as most of the members are Russian-speaking. However, the leader has said he operates out of the US or China.
LockBit has grown as it runs a ransomware-as-a-service (RaaS) operation. That approach means the group lets others use their ransomware – for a price.
It looks like this LockBit ransomware was created for Apple Silicon Macs with the build name being “locker_Apple_M1_64.”
While infosec Twitter account vx-underground mentioned the appearance of this LockBit ransomware for Mac showing up in one place with a date of November 2022, MalwareHunterTeam says they haven’t found any mentions of it online and I found the same, so it appears it may have gone under the radar until now if it was around since last fall.
In any case, MalwareHunterTeam believes this is the first public alert about LockBit going after Apple devices. And with the gang’s RaaS approach, it’s possible we could see an incoming wave of ransomware attacks targeting Macs.
Not a single person I can find tweeted LockBit has a Mac targeting version before I did above yesterday, nor can find any blog posts mentioning it, etc. So even if the gang had the first build in 2022 November, for public, this is not late at all, but even yet, seems the first… pic.twitter.com/4iR71cuLpo
— MalwareHunterTeam (@malwrhunterteam) April 16, 2023
Curiously, while the M1 ransomware build may grab the most attention, a LockBit ransomware build is also showing up for PowerPC Macs.
Anyway, the archive in which this sample was included shown bundled date as March 20.
And they even have PowerPC builds…
— MalwareHunterTeam (@malwrhunterteam) April 16, 2023
Speaking with Wired earlier this year, Jon DiMaggio from Analyst1 shared that one of the reasons LockBit has grown so powerful is its leader’s business savvy.
“They are the most notorious ransomware group, because of sheer volume. And the reason for their success is that the leader is a good businessman,” says Jon DiMaggio, chief security strategist at Analyst1 who has studied LockBit’s operations extensively. “It’s not that he’s got this great leadership capability. They made a point-and-click ransomware that anyone could use, they update their software, they’re constantly looking for user feedback, they care about their user experience, they poach people from rival gangs. He runs it like a business, and because of that, it is very, very attractive to criminals.”
