The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to specifically target macOS.

The new ransomware encryptors were discovered by a cybersecurity researcher MalwareHunterTeam who found a ZIP archive on VirusTotal that contained what appears to be all available LockBit encryptors.

Historically, the LockBit operation uses ciphers designed for attacks on Windows, Linux, and VMware ESXi servers. However, as shown below, this archive [VirusTotal] also contained previously unknown ciphers for macOS, ARM, FreeBSD, MIPS, and SPARC processors.

These ciphers also include one named ‘locker_Apple_M1_64’ [VirusTotal] which targets new Macs running on Apple Silicon. The archive also contains lockers for PowerPC processors, which older Macs use.

Further research by cybersecurity researcher Florian Roth found an Apple M1 encryptor uploaded to VirusTotal in December 2022, indicating that these samples have been floating around for some time.

Probable test versions

BleepingComputer has analyzed the strings in the LockBit Encryptor for Apple M1 and found some strings that are out of place in a macOS encryptor, indicating that they were probably mixed up randomly in a test.

For example, there are many references to VMware ESXi, which has no place in an Apple M1 encryptor, as VMare announced that it would. not support CPU architecture.

_check_esxi
esxi_
_Esxi
_kill_esxi_1
_kill_esxi_2
_kill_esxi_3
_kill_processes
_kill_processes_Esxi
_killed_force_vm_id
_listvms
_esxcfg_scsidevs1
_esxcfg_scsidevs2
_esxcfg_scsidevs3
_esxi_disable
_esxi_enable

Additionally, the encryptor contains a list of sixty-five file extensions and filenames that will be excluded from encryption, all of which are Windows file extensions and folders.

A small snippet of Windows files that the Apple M1 Encryptor will not encrypt are listed below, all irrelevant on a macOS device.

.exe
.bat
.dll
msstyles
gadget
winmd
ntldr
ntuser.dat.log
bootsect.bak
autorun.inf
thumbs.db
iconcache.db

Almost all ESXi and Windows strings are also present in MIP and FreeBSD ciphers, indicating that they use a shared codebase.

The good news is that these encryptors are probably not ready to be deployed in real attacks against macOS devices.

Cisco Talos Researcher Azim Khodjibaev told BleepingComputer that based on their research, the ciphers were intended as a test and were never intended to be deployed in live cyberattacks.

Although Windows has been the most targeted operating system for ransomware attacks, there’s nothing stopping developers from creating ransomware targeting Macs.

The fact that they are tested indicates that more advanced ciphers optimized for these CPU architectures may come in the future.

Therefore, all computer users, including Mac owners, should adopt good online safety habits, including keeping the operating system up to date, avoiding opening attachments and unknown executables and using strong, unique passwords on every site you visit.