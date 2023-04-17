LockBit ransomware has started targeting Apple computers for the first, despite previously being focused on Windows, Linux, and virtual host machines.

On Sunday, a group of security researchers known as the MalwareHunterTeam revealed in a series of tweets that they have found evidence of a Lockbit ransomware designed to compromise macOS devices.

“As much as I can tell, this is the first Apple’s Mac devices targeting build of LockBit ransomware sample seen,” MalwareHunterTeam said in a tweet. “Also is this a first for the “big name” gangs?”

The tweet suggests that the LockBit ransomware created for Apple Silicon Macs came with the build name “locker_Apple_M1_64.”

Security analysts believe LockBit is a Russian-based hacking and ransomware group as most of the members are Russian-speaking. However, the group’s leader has said he operates out of the US or China.

The group is best known for LockBit ransomware, which is malicious software designed to block user access to computer systems in exchange for a ransom payment.

“I think this is the first time one of the major ransomware players has taken aim at Apple’s OS,” security analyst Brett Callow told Engadget in a statement.

LockBit Ransomware for Mac Dates Back to November 2022

After doing some digging, the infosec Twitter account vx-underground revealed that the LockBit ransomware for Mac has shown up in one place with an appearance date of November 2022.

In a subsequent tweet, MalwareHunterTeam said they haven’t found any mentions of the malware online, suggesting that it may have gone under the radar until now if it was around since last fall.

“Not a single person I can find tweeted LockBit has a Mac targeting version before I did above yesterday, nor can find any blog posts mentioning it, etc,” MalwareHunterTeam said.

“So even if the gang had the first build in 2022 November, for public, this is not late at all, but even yet, seems the first.”

Notably, the public-facing representative of LockBit, known as LockBitSupp, reportedly told BleepingComputer that the Mac encryptor is “actively being developed.”

Mac Encryptors Are in Test Mode: Security Experts

Some security experts have noted that the LockBit ransomware for Mac is currently in development mode.

MacOS cybersecurity expert Patrick Wardle told BleepingComputer that the Mac encryptors are currently under test as they are far from complete as it is missing the required functionality to encrypt Macs properly.

Wardle added that he believes the macOS encryptor is based on the Linux version and compiled for macOS with some basic configuration settings.

Furthermore, Wardle noted that when the macOS encryptor is launched, it crashes due to a buffer overflow bug in its code.

“It seems that macOS is now on their radar … but other than compiling it for macOS, and adding a basic config (which are just basic flags …not specific to macOS per se) this is far from ready for deployment.”

Wardle further shared that the LockBit developer must first “figure out how to bypass TCC, get notarized” before becoming a functional encryptor.

Worth stressing, as LockBit macOS sample though *compiled* for macOS really isn't (yet) designed for macOS. 1. Unsigned (won't easily run on macOS)

2. Doesn't appear to take into account TCC/SIP, so won't be able to encrypt much of anything So (in current form) macOS impact: ~0 https://t.co/zYVNhfYLRo — Patrick Wardle (@patrickwardle) April 16, 2023

Historically, the LockBit gang has focused on Windows, Linux, and virtual host machines because those operating systems are largely used by its target businesses.

