In order to encrypt files on devices running Apple's macOS operating system, the actors behind the LockBit ransomware campaign have created new artifacts.
It appears that the development marks the first time a large-scale ransomware group has produced a macOS-based payload, as was noted over the weekend by the MalwareHunterTeam.
Additional samples found by vx-underground demonstrate that the macOS variant has been accessible since November 11, 2022, and has so far managed to avoid being discovered by anti-malware engines.
The threat actors behind LockBit, a well-known cybercrime gang with ties to Russia, released two significant modifications to the locker in 2021 and 2022. They have been active since late 2019.
LockBit overtook Cl0p as the second most popular ransomware in March 2023, according to figures made public by Malwarebytes last week, and it was responsible for 93 successful assaults.
The new macOS version ("locker_Apple_M1_64") is still under development and uses an incorrect signature to sign the executable, according to an analysis of the software. As a result, even if it is downloaded and launched on a device, Apple's Gatekeeper security measures will block it from being used.
Security researcher Patrick Wardle claims that the payload contains files like autorun.inf and ntuser.dat.log, indicating that the ransomware sample was initially intended to attack Windows.
"While yes it can indeed run on Apple Silicon, that is basically the extent of its impact," Wardle explained. "Thus macOS users have nothing to worry about ...for now!"
Wardle also drew attention to other security measures put in place by Apple, such as System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC), which stop the execution of unauthorised code and mandate that programmes ask users' permission before accessing protected files and data.
"This means that without an exploit or explicit user-approval users files will remain protected," Wardle explained. "Still an additional layer or detection/protection may be warranted."
According to SentinelOne researcher Phil Stokes, the macOS version of LockBit is also a "direct descendant" of the Linux variant and does not "implement any functionality for exfiltrating the data it locks, nor does it have any method of persistence." Stokes described the threat's current state of development.
In describing the threat's current state of development, SentinelOne researcher Phil Stokes noted that the macOS version of LockBit is also a "direct descendant" of the Linux variant and lacks "any functionality for exfiltrating the data it locks, nor does it have any method of persistence."
It is clear from the results that threat actors are progressively focusing their attention on macOS systems, despite the fact that the artefacts are generally buggy.
Since then, a LockBit spokesperson has verified to Bleeping Computer that the macOS encryptor is "actively being developed," indicating that the malware is likely to pose a severe threat to the platform.