LockBit ransomware is now targeting Macs for the first time

Posted:
in macOS edited April 2023
The LockBit ransomware group has seemingly started to target macOS, following the discovery of the first malware build intended to infect Macs.




LockBit is a ransomware gang that has existed for a number of years, using malware to attack high-profile institutions such as the UK's Royal Mail and a Canadian hospital. Thought to be based in Russia, the organization has repeatedly used its malware to attack Windows and other platforms, but now it's going after macOS users.

Found by MalwareHunterTeam on Sunday, a build of a LockBit ransomware sample appears to be intended for Apple Silicon Macs. Described as "locker_Apple_M1_64," referencing the first wave of Apple's Mac chips, the build is believed to be the first LockBit ransomware sample in the wild aimed at modern Macs.

It is also thought to be the first time a major ransomware group took interest in creating a payload that attacks Apple hardware.

Unexpectedly, the M1_64 variant isn't the only non-Intel Apple-specific builds to surface. In one archive, ransomware builds are found to be made for PowerPC Macs.

While the existence of ransomware isn't necessarily a massive cause for alarm, especially on the first appearance, the operations of LockBit as a group makes it a more serious situation.

As well as using it for their own needs, the group also provides access to its ransomware to other criminals willing to pay. With the prospect of others potentially using it, it stands to reason that there could be a lot of ransomware attacks against Macs in the near future.

Read on AppleInsider

Comments

  • Reply 1 of 13
    Interesting, but i think you'll find it was discovered by the 'MalwareHunterTeam', not Hunder.


    williamlondonwatto_cobra
  • Reply 2 of 13
    DAalsethDAalseth Posts: 2,783member
    Disturbing, but hey alternative Mac App Stores are on the way. What could possibly go wrong.

    charlesnwatto_cobralordjohnwhorfin
  • Reply 3 of 13
    sshssh Posts: 15member
    This article raises a number of unanswered questions:
    1. What are the mechanics of the malware? What does it attempt to do in exchange for a ransom?
    2. Does it have mechanisms for avoiding controls like GateKeeper, xProtect, and the MIR? What are they?
    3. What is there about the M1 in particular that the malware attacks?
    I suspect most of the answers to these and similar questions will show this malware to be of little threat. That said, it's possible there are vulnerabilities which need to be addressed, and if they are in the M1 itself, this may be difficult to do. Without details, it's difficult to assess.

    This seems to be a common theme in these kinds of reports, though. What's the practical impact of this discovery?

    watto_cobra
  • Reply 4 of 13
    DAalseth said:
    Disturbing, but hey alternative Mac App Stores are on the way. What could possibly go wrong.

    You can already buy and install Mac software from third party sites.
    elijahgneoncatavon b7williamlondonFidonet127michelb76ITGUYINSDwatto_cobra
  • Reply 5 of 13
    neoncatneoncat Posts: 145member
    DAalseth said:
    Disturbing, but hey alternative Mac App Stores are on the way. What could possibly go wrong.

    You can already buy and install Mac software from third party sites.
    That and both the iOS and Mac App Stores have been found to host malware. It's not common, but it's possible and will continue to happen.

    But hey, let's knee-jerk put our op sec in Apple's hands because reasons. No company, no one company, should be in charge of your security, because they will always act in their best interests, not yours. Including (and especially) Apple.
    edited April 2023 williamlondonmichelb76
  • Reply 6 of 13
    lkrupplkrupp Posts: 10,557member
    Well, as usual, the user would likely have be to tricked into downloading and installing the package. Or it could be included in a pirated version of some popular software. So let's face it, all this stuff still relies ton the gullibility and greed of certain users. It’s not a self-replicating or self-installing virus of yesteryear that can take your system on its own.

    Be vigilant, don’t steal, use common sense. If it sounds too good to be true it likely is.
    williamlondonMacProwatto_cobra
  • Reply 7 of 13
    DAalsethDAalseth Posts: 2,783member
    DAalseth said:
    Disturbing, but hey alternative Mac App Stores are on the way. What could possibly go wrong.

    You can already buy and install Mac software from third party sites.
    You are right. I was thinking about the AppStore. 
    appleinsideruserwatto_cobra
  • Reply 8 of 13
    avon b7avon b7 Posts: 7,624member
    lkrupp said:
    Well, as usual, the user would likely have be to tricked into downloading and installing the package. Or it could be included in a pirated version of some popular software. So let's face it, all this stuff still relies ton the gullibility and greed of certain users. It’s not a self-replicating or self-installing virus of yesteryear that can take your system on its own.

    Be vigilant, don’t steal, use common sense. If it sounds too good to be true it likely is.
    Also bad luck. A critical WebKit bug might be enough. You probably won't see it coming until it's too late.

    Ransomware takes some serious thwarting and there are lots of flavours.

    QNAP NAS systems have been under particular attack over the last few years. As have hospitals and critical infrastructure. 

    It's been about ten years since I was involved in worm signature detection but it was quite hard to balance a solution out without crippling the limited resources on typically underpowered routers. 

    I can imagine it's a real struggle to find good protection against ransomware but I do know that the ICT infrastructure providers are in on trying to tackle the problem. 

    Nowadays, our interconnected digital lifestyles often make us sitting ducks. Anything on the LAN could end up being swept up by ransomware once it's on your device. 

    Keeping backups offline is essential. 

    It's worse at work. A friend received a simple email a few years ago with a link that looked perfectly legitimate. It wasn't. It took his laptop down and before he knew what was happening, it was encrypting the work server. 

    He raised the alert and the It dept managed to halt things. It was too late for the PC but backups resolved the problem in a day. 

    Strangely I haven't run into many people who have been directly impacted by ransomware but it's at the back of my mind and even knowing I could get hit at any moment my backup strategy could be better. Yikes! 

    spheric
  • Reply 9 of 13
    charlesncharlesn Posts: 820member
    neoncat said:

    But hey, let's knee-jerk put our op sec in Apple's hands because reasons. No company, no one company, should be in charge of your security, because they will always act in their best interests, not yours. Including (and especially) Apple.
    Care to elaborate on why, "especially" Apple? I don't disagree about companies acting in their best interests, but Apple has done something unique and interesting. Instead of going the Google, Meta, etc., route where a company's best interests lie in mining and monetizing consumer data, often without their knowledge, Apple has pursued the protection of consumer privacy as being in its best interests. I don't pretend they've done this solely for the good of humankind--I think they see it as a powerful way to differentiate Apple in the marketplace at a time when consumer concerns about privacy have risen greatly. It's a sales tool that works to Apple's benefit. How can I trust Apple to follow through on its promises? Because getting caught compromising consumer privacy when you've based your company's reputation on protecting it would be very, very bad for Apple. So I don't trust them to do the right thing for me. I trust them to do the right thing for Apple and look out for their own best interests. 
    rpelletisphericdope_ahmineOferwatto_cobra
  • Reply 10 of 13
    Before retirement, I spent 16 years working at a firm that had export controlled (by the US government) data on aviation components.  You would not pass a government audit without antivirus software (and more layers of protection than I care to recall).  A mac (or pc) that did not have a currently supported OS could not be on the corporate or local lan network, or in any way connected to the internet.  Visitors were restricted to a special, highly limited network connection (no ability to connect to any company/corporate servers, and limited to whitelisted sites).  Servers, minicomputers and mainframes were required to have static IP addresses, with whitelisted external connections and IP ports.  Authorized sites and port numbers for those sites was maintained by a special corporate group, with no local site access to make changes by other employees or contractors.  Any employee who attempted to circumvent security requirements was subject to immediate termination.  Any contractor who violated rules could be banned for life.  Large government and some commercial contracts could be terminated for violations.  Jail was an option in extreme cases.  I believe this factored into replacing several dozen macs with pcs at the local factory sites.  

    Before the 16 year stint at a government contractor, I spent another 16 years at a mid-sized automotive supplier.  Our auditors would have thrown a fit if we did not have at least antivirus software on every desktop/laptop machine (other than ASCII terminals and UNIX CAD/CAM workstations).  This was long before ransomware became common.  

    At home, I would not think of running anything other than a Chromebook without antivirus software that also protected against malware and ransomware.  I would not allow anyone who advised not to use antivirus software to work on anything other than the Chromebook.  I only consider the top 5 to 7 or so providers of antivirus software (ie, the ones that supply both mac and pc versions, and I go for the paid versions, not the free ones).  
    edited April 2023 watto_cobra
  • Reply 11 of 13
    Lockbit coming to Macs is a logical conclusion of their strategy to monetise. The group is very successful.
    Historically the Mac community have been lulled into a sense of false security and safety so I think Lockbit and their affiliates will be very very successful targeting our community.

    A couple of things to bear in mind when it comes to highly organised and resource rich cyber crime groups:

    1) Any security control that you have the criminal groups have access to and can quality test their exploits, second stage loaders and persistence implants. I.e. AV etc are largely useless and you need tech that works on process / program behaviour. These can also be bypassed so it is an arms race.

    2) MacOS and iOS is increasingly targeted for exploit research which can be seen in the increasingly frequent emergency point releases due to exploits in the wild of critical and sometimes zero interaction bugs.

    3) Ransomware gangs partner with groups that sell access, be it insiders or a group that has gotten access to your infra or management consoles. This means they sometimes spend time to learn your organisation and backup strategies plus also exile and threaten to leak your data as a secondary way to extort you.

    4) There has never been a stronger argument to invest in security keys for iCloud than now.
    watto_cobra
  • Reply 12 of 13
    avon b7avon b7 Posts: 7,624member
    I just did some digging on the latest ransomware protection practices and it's taking some serious effort to deal with modern attacks.

    Last line of defence is at the file system level and using AI to detect if unusual encryption is taking place and halt it. 

    The problem there is that I read a security research summary a few months ago about AI in security and the reality of people using AI against AI. 

    In all scenarios, though, air-gapping is still an essential part of any protective measures. Plus good backups. 
Sign In or Register to comment.