Late on April 15th, 2023, MalwareHunterTeam, a cybersecurity research group, discovered a new variant of the LockBit ransomware that targets macOS. Initially, VirusTotal could not detect the ransomware binary named locker_Apple_M1_64. However, within a short time, several anti-virus engines started identifying the file as malicious.
"locker_Apple_M1_64": 3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79
— MalwareHunterTeam (@malwrhunterteam) April 15, 2023
As much as I can tell, this is the first Apple's Mac devices targeting build of LockBit ransomware sample seen...
Also is this a first for the "big name" gangs?
🤔@patrickwardle
cc @cyb3rops pic.twitter.com/SMuN3Rmodl
LockBit ransomware is known for its unrelenting attacks on businesses, stealing their data and demanding ransom payments. It uses sophisticated techniques to penetrate networks and encrypt files, making them inaccessible until the ransom is paid. In the past, LockBit used encryptors designed for attacks on Windows, Linux, and VMware ESXi servers. However, now, for the first time, the LockBit ransomware group has developed a payload for Apple products. This development marks a significant shift in their strategy.
Further analysis of the code signing information using macOS's codesign and spctl utilities revealed that the binary is adhoc and linker-signed. The malware sample is a 64-bit arm64 Mach-O that can run on Apple Silicon. However, its impact seems to be limited to running on Apple Silicon, and for now, macOS users have nothing to worry about.
The cybersecurity industry must continue to monitor and analyze this new threat to provide protection and security to users of Apple products. Businesses should take necessary precautions to protect their systems and data from such attacks.
According to cybersecurity researcher Florian Roth, an Apple M1 encryptor was uploaded to VirusTotal in December 2022, indicating that these samples have been floating around for some time. BleepingComputer analyzed the strings in the LockBit encryptor for Apple M1 and found out-of-place strings. These strings indicate that these were likely haphazardly thrown together in a test.
 |
| An invalid signature means macOS will block it, image objective-see |
The encryptor contains a list of sixty-five file extensions and filenames that will be excluded from encryption. All of them are Windows file extensions and folders. The good news is that these encryptors are likely not ready for deployment in actual attacks against macOS devices.
 |
Cisco Talos researcher Azim Khodjibaev said that the encryptors were meant as a test and were never intended for deployment in live cyberattacks. macOS cybersecurity expert Patrick Wardle also confirmed that the encryptor is far from complete, as it is missing the required functionality to encrypt Macs properly.
In conclusion, while this development may not pose a direct threat to macOS users, it marks a significant shift in the LockBit ransomware group's strategy. The cybersecurity industry must continue to monitor and analyze this new threat to provide protection and security to users of Apple products.
0 Comments