Lately, several major ransomware groups, including ESXiArgs, Royal, Black Basta, Hive, RedAlert, and GwisinLocker have migrated their focus from Windows to Linux or VMware ESXi. However, in what appears to be a new trend, researchers have now observed the migration of LockBit from Windows and Linux platforms to macOS.
What has been observed?
Researchers from MalwareHunterTeam have observed samples of LockBit encryptor targeting macOS, calling this the first major ransomware operation to do so.
One specific encryptor sample, named locker_Apple_M1_64, targets the macOS machines running on the Apple M1 Silicon chipset.
This encryptor sample is believed to be developed in December 2022, when this sample was uploaded to the VirusTotal, in a ZIP archive file, comprising several other variants of LockBit.
In addition to the macOS variant, the ZIP archive consists of previously unknown LockBit encryptors targeting FreeBSD, ARM, MIPS, and SPARC.
Possibly a test build
The identified samples bear several clues which indicate that the Apple M1 encryptor is an unplanned version, and not prepared with the aim to be used in the wild.
Several strings in the code refer to VMware ESXi that does not support the Apple M1 architecture.
In the list of extensions and filenames to be excluded, there are 65 entries, all of them being Windows-OS filenames (msstyles) and extensions (.exe), hinting that the code from the Windows variant has been copied as is.
This macOS encryptor, further, has a buffer-overflow bug and crashes as soon as it is run.
Based on the above factors, it is believed that the developer had put together the macOS variant using code from other variants just for testing.
Ending notes
Experts from Apple, along with several security agencies, have confirmed that this specific encryptor is not a threat to macOS users. However, LockBit is considered one of the most sophisticated threats and is known for its out-of-the-box tactics. Therefore, this discovery of the macOS variant cannot be taken lightly. MacOS users are suggested to tighten up their security posture with frequent backups and use strong passwords.