The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to specifically target macOS.
The new ransomware encryptors were discovered by a cybersecurity researcher MalwareHunterTeam who found a ZIP archive on VirusTotal that contained what appears to be all available LockBit encryptors.
Historically, the LockBit operation uses ciphers designed for attacks on Windows, Linux, and VMware ESXi servers. However, as shown below, this archive [VirusTotal] also contained previously unknown ciphers for macOS, ARM, FreeBSD, MIPS, and SPARC processors.
These ciphers also include one named ‘locker_Apple_M1_64’ [VirusTotal] which targets new Macs running on Apple Silicon. The archive also contains lockers for PowerPC processors, which older Macs use.
Further research by cybersecurity researcher Florian Roth found an Apple M1 encryptor uploaded to VirusTotal in December 2022, indicating that these samples have been floating around for some time.
Probable test versions
BleepingComputer has analyzed the strings in the LockBit Encryptor for Apple M1 and found some strings that are out of place in a macOS encryptor, indicating that they were probably mixed up randomly in a test.
For example, there are many references to VMware ESXi, which has no place in an Apple M1 encryptor, as VMare announced that it would. not support CPU architecture.
_check_esxi esxi_ _Esxi _kill_esxi_1 _kill_esxi_2 _kill_esxi_3 _kill_processes _kill_processes_Esxi _killed_force_vm_id _listvms _esxcfg_scsidevs1 _esxcfg_scsidevs2 _esxcfg_scsidevs3 _esxi_disable _esxi_enable
Additionally, the encryptor contains a list of sixty-five file extensions and filenames that will be excluded from encryption, all of which are Windows file extensions and folders.
A small snippet of Windows files that the Apple M1 Encryptor will not encrypt are listed below, all irrelevant on a macOS device.
.exe .bat .dll msstyles gadget winmd ntldr ntuser.dat.log bootsect.bak autorun.inf thumbs.db iconcache.db
Almost all ESXi and Windows strings are also present in MIP and FreeBSD ciphers, indicating that they use a shared codebase.
The good news is that these encryptors are probably not ready to be deployed in real attacks against macOS devices.
Cisco Talos Researcher Azim Khodjibaev told BleepingComputer that based on their research, the ciphers were intended as a test and were never intended to be deployed in live cyberattacks.
Although Windows has been the most targeted operating system for ransomware attacks, there’s nothing stopping developers from creating ransomware targeting Macs.
The fact that they are tested indicates that more advanced ciphers optimized for these CPU architectures may come in the future.
Therefore, all computer users, including Mac owners, should adopt good online safety habits, including keeping the operating system up to date, avoiding opening attachments and unknown executables and using strong, unique passwords on every site you visit.