The year 2022 marked a significant increase in the number of ransomware attacks globally. Since then, there has been no respite for individuals and organizations who have continued to fall prey to ransomware groups throughout 2023. With the increase in ransomware attacks, cybercriminals have continued to develop sophisticated and advanced techniques to execute their attacks.
One of the known and more prolific ransomware groups is LockBit. On April 5, 2023, alarming news emerged when it was discovered that LockBit had developed a macOS-based payload. This development represents the first time a big-game ransomware crew has targeted macOS devices with their malware. Here’s what we know so far:
Development of macOS Payload by LockBit
According to reports from cybersecurity researchers, additional samples identified by Vx-underground show that the macOS variant of LockBit ransomware has been around since November 11, 2022. The LockBit ransomware has been known for its attacks targeted at Windows devices since late 2019. The new development of a macOS-based payload expands the attack surface of the ransomware group, which now has the capability to target both Windows and macOS devices.
LockBit’s Emergence as a Major Threat in Ransomware Attacks
According to statistics released last week by Malwarebytes, LockBit emerged as the second most used ransomware in March 2023 after Cl0p. The increase in the use of LockBit indicates the growing influence and capabilities of the ransomware group.
Analysis of the LockBit macOS Payload
An analysis of the new macOS version reveals that it is still a work in progress, relying on an invalid signature to sign the executable. The payload packs in files like “autorun.inf” and “ntuser.dat.log”, suggesting that the ransomware sample was originally designed to target Windows.
Impact on Apple Silicon
While the macOS variant of LockBit has been designed to run on Apple Silicon, its impact is limited. Apple’s implementation of the ARM64 instruction set and the use of the M1 processor have posed a significant barrier for cybercriminals to run their malicious payloads on Apple devices. According to Patrick Wardle, a cybersecurity expert, “Yes, it can indeed run on Apple Silicon, but that is basically the extent of its impact.”
Apple’s Safeguards Against LockBit
Apple has implemented additional safeguards to protect macOS users from ransomware attacks. These include System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC). System Integrity Protection aims to prevent malware from modifying critical system files, while Transparency, Consent, and Control seeks to provide the user with more control over the data that applications on their devices can access.
Active development of LockBit’s macOS encryptor
A LockBit representative has confirmed to Bleeping Computer that the macOS encryptor is “actively being developed”. This confirmation raises concerns that LockBit might pose a significant threat to Apple’s operating system. As the LockBit ransomware group continues to develop advanced techniques to carry out their attacks, it’s crucial for users to keep their devices updated, implement strong security measures, and stay vigilant for any signs of a ransomware attack.
The emergence of LockBit’s macOS payload highlights the need for organizations and individuals to remain proactive in protecting their devices from ransomware. With Apple’s implementation of additional safeguards, it is harder for cybercriminals to execute attacks on macOS devices. However, as LockBit continues to develop its macOS payload, it is vital to remain vigilant, implement strong security measures, and educate oneself on ransomware threats. By staying informed and taking necessary precautions, users can minimize the threat posed by LockBit and other ransomware groups.
