After wreaking havoc with Windows and Linux systems, the LockBit ransomware gang now intends to target macOS devices. However, researchers believe the malware may not be as successful on Mac due to Mac’s innate security.
LockBit Ransomware To Target macOS Systems
In a recent tweet, the MalwareHunterTeam disclosed encountering a new LockBit ransomware variant. Identified as “locker_Apple_M1_64” by the researchers, the new malware seems the first such attempt to target Mac specifically.
LockBit is a potent ransomware available as RaaS, initially targeting Windows, and later, Linux systems. During the past years, LockBit has executed numerous terrifying cyberattacks aimed at big services, like UK’s suburban train systems, the Swiss helicopter maker firm, and more. It then gradually improvised as LockBit 2.0, conducting even more severe attacks such as the Italian energy firm.
Later on, another ransomware variant, LockBit 3.0, also surfaced online, exhibiting more malicious capabilities. And the threat actors appeared more motivated to improve the malware as they announced a bug bounty program.
And now, it seems perfectly timed for the threat actors to take the lead in the RaaS world by announcing a dedicated Apple ransomware.
Following MalwareHnterTeam’s disclosure, vxunderground also confirmed having the malware samples.
Lockbit ransomware group has created their first MacOS-based payload. We believe this is the first time a large ransomware threat group has developed a payload for Apple products.
We have samples.
— vx-underground (@vxunderground) April 16, 2023
While the ransomware initially escaped the radar of almost antivirus solutions, following this disclosure, VirusTotal now shows that many robust services have started flagging the malware samples.
Can LockBit Really Harm Macs?
Though LockBit successfully stirred up the cybersecurity realm by confirming its initiatives for targeting macOS. But can it hurt Mac devices as severely as Windows and Linux?
The researcher Patrick Wardle believes otherwise. As elaborated in his blog post, although the malware can reach Apple Macs, but it cannot successfully infect them – at least, for now. That’s because of macOS’s inherent security design that most malware find difficult to bypass.
In the case of the LockBit “locker_Apple_M1_64” variant, its first weakness lies in code signing. Wardle highlighted that the malware is signed as “ad-hoc,” and macOS doesn’t allow running such apps on the systems.
Besides, the researcher also deeply analyzed the malware and found nothing specific in it which could enable the ransomware to run on Macs. So, at present, this variant looks like nothing serious for Mac users.
Specifically, Apple has implemented SIP (and now read-only system volumes) to protect OS-level files. This means even if ransomware finds its way onto a macOS system it won’t (easily) be able to mess with core OS files. Apple has also added (TCC) protections to user files founds in (now) protected directories such as ~/Desktop, ~/Documents, etc. etc. This means, that without an exploit or explicit user-approval users files will remain protected.
Nonetheless, it doesn’t mean that Apple devices will remain immune to ransomware for eternity. Also, there have been several instances where Mac devices endured malware attacks. Wardle also pointed out that such a step from a large ransomware group shouldn’t appear trivial to the security community.
Therefore, it remains crucial for Apple, security professionals, and users to remain vigilant about protecting their Macs from such threats.