LockBit ransomware is now targeting Macs for the first time
The LockBit ransomware group has seemingly started to target macOS, following the discovery of the first malware build intended to infect Macs.
LockBit is a ransomware gang that has existed for a number of years, using malware to attack high-profile institutions such as the UK's Royal Mail and a Canadian hospital. Thought to be based in Russia, the organization has repeatedly used its malware to attack Windows and other platforms, but now it's going after macOS users.
Found by MalwareHunterTeam on Sunday, a build of a LockBit ransomware sample appears to be intended for Apple Silicon Macs. Described as "locker_Apple_M1_64," referencing the first wave of Apple's Mac chips, the build is believed to be the first LockBit ransomware sample in the wild aimed at modern Macs.
It is also thought to be the first time a major ransomware group took interest in creating a payload that attacks Apple hardware.
Unexpectedly, the M1_64 variant isn't the only non-Intel Apple-specific builds to surface. In one archive, ransomware builds are found to be made for PowerPC Macs.
While the existence of ransomware isn't necessarily a massive cause for alarm, especially on the first appearance, the operations of LockBit as a group makes it a more serious situation.
As well as using it for their own needs, the group also provides access to its ransomware to other criminals willing to pay. With the prospect of others potentially using it, it stands to reason that there could be a lot of ransomware attacks against Macs in the near future.
Read on AppleInsider
LockBit is a ransomware gang that has existed for a number of years, using malware to attack high-profile institutions such as the UK's Royal Mail and a Canadian hospital. Thought to be based in Russia, the organization has repeatedly used its malware to attack Windows and other platforms, but now it's going after macOS users.
Found by MalwareHunterTeam on Sunday, a build of a LockBit ransomware sample appears to be intended for Apple Silicon Macs. Described as "locker_Apple_M1_64," referencing the first wave of Apple's Mac chips, the build is believed to be the first LockBit ransomware sample in the wild aimed at modern Macs.
It is also thought to be the first time a major ransomware group took interest in creating a payload that attacks Apple hardware.
Unexpectedly, the M1_64 variant isn't the only non-Intel Apple-specific builds to surface. In one archive, ransomware builds are found to be made for PowerPC Macs.
While the existence of ransomware isn't necessarily a massive cause for alarm, especially on the first appearance, the operations of LockBit as a group makes it a more serious situation.
As well as using it for their own needs, the group also provides access to its ransomware to other criminals willing to pay. With the prospect of others potentially using it, it stands to reason that there could be a lot of ransomware attacks against Macs in the near future.
Read on AppleInsider
Comments
This seems to be a common theme in these kinds of reports, though. What's the practical impact of this discovery?
But hey, let's knee-jerk put our op sec in Apple's hands because reasons. No company, no one company, should be in charge of your security, because they will always act in their best interests, not yours. Including (and especially) Apple.
Be vigilant, don’t steal, use common sense. If it sounds too good to be true it likely is.
Ransomware takes some serious thwarting and there are lots of flavours.
QNAP NAS systems have been under particular attack over the last few years. As have hospitals and critical infrastructure.
It's been about ten years since I was involved in worm signature detection but it was quite hard to balance a solution out without crippling the limited resources on typically underpowered routers.
I can imagine it's a real struggle to find good protection against ransomware but I do know that the ICT infrastructure providers are in on trying to tackle the problem.
Nowadays, our interconnected digital lifestyles often make us sitting ducks. Anything on the LAN could end up being swept up by ransomware once it's on your device.
Keeping backups offline is essential.
It's worse at work. A friend received a simple email a few years ago with a link that looked perfectly legitimate. It wasn't. It took his laptop down and before he knew what was happening, it was encrypting the work server.
He raised the alert and the It dept managed to halt things. It was too late for the PC but backups resolved the problem in a day.
Strangely I haven't run into many people who have been directly impacted by ransomware but it's at the back of my mind and even knowing I could get hit at any moment my backup strategy could be better. Yikes!
Before the 16 year stint at a government contractor, I spent another 16 years at a mid-sized automotive supplier. Our auditors would have thrown a fit if we did not have at least antivirus software on every desktop/laptop machine (other than ASCII terminals and UNIX CAD/CAM workstations). This was long before ransomware became common.
At home, I would not think of running anything other than a Chromebook without antivirus software that also protected against malware and ransomware. I would not allow anyone who advised not to use antivirus software to work on anything other than the Chromebook. I only consider the top 5 to 7 or so providers of antivirus software (ie, the ones that supply both mac and pc versions, and I go for the paid versions, not the free ones).
Historically the Mac community have been lulled into a sense of false security and safety so I think Lockbit and their affiliates will be very very successful targeting our community.
A couple of things to bear in mind when it comes to highly organised and resource rich cyber crime groups:
1) Any security control that you have the criminal groups have access to and can quality test their exploits, second stage loaders and persistence implants. I.e. AV etc are largely useless and you need tech that works on process / program behaviour. These can also be bypassed so it is an arms race.
2) MacOS and iOS is increasingly targeted for exploit research which can be seen in the increasingly frequent emergency point releases due to exploits in the wild of critical and sometimes zero interaction bugs.
3) Ransomware gangs partner with groups that sell access, be it insiders or a group that has gotten access to your infra or management consoles. This means they sometimes spend time to learn your organisation and backup strategies plus also exile and threaten to leak your data as a secondary way to extort you.
4) There has never been a stronger argument to invest in security keys for iCloud than now.
Last line of defence is at the file system level and using AI to detect if unusual encryption is taking place and halt it.
The problem there is that I read a security research summary a few months ago about AI in security and the reality of people using AI against AI.
In all scenarios, though, air-gapping is still an essential part of any protective measures. Plus good backups.