MalwareHunterTeam cybersecurity researchers have discovered new LockBit ransomware specifically designed to attack Macs. This will be the first major ransomware campaign to target macOS.
Experts found a ZIP archive on VirusTotal that appears to contain most of the new LockBit ransomware available.
LockBit primarily uses encryptors designed to attack Windows, Linux, and VMware ESXi servers. However, the found archive also contained previously unknown ransomware for macOS, ARM, FreeBSD, MIPS, and SPARC processors.
The archive contains a file named "locker_Apple_M1_64" which targets newer Macs running on the Apple Silicon processor. There are also encryptors for PowerPC processors that older Macs use.
Note that "locker_Apple_M1_64" was uploaded to Virus Total back in December 2022, which indicates that these samples have been in use for some time.
The study showed that the encryptor contains a list of 65 extensions and filenames that are excluded from encryption, all of which are Windows file extensions and folders. Among them are ".exe", ".bat", ".dll", "autorun.inf" and others.
The good news is that these ransomware are most likely not ready to be deployed in real attacks on macOS devices. Cisco Talos researcher Azim Khodjibaev said the encryptors were intended for testing and were never intended to be used in real cyberattacks.
What's more, a spokesperson for LockBit (LockBitSupp) confirmed to the media that the Mac encryptor is "actively developed."
MacOS cybersecurity expert Patrick Wardle also confirmed Cisco's theory that these builds are in development/testing, stating that the encryptor is far from complete as it lacks the necessary features to properly encrypt Macs.
Wardle added that the macOS encryptor is based on the Linux version and compiled for macOS with some basic configuration settings. In addition, when running the macOS ransomware, Wardle crashed due to a buffer overflow error in his code. Wardle's detailed technical analysis of the new ransomware for Mac can be found at Objective See.