Over the last several years, LockBit has become one of the most powerful ransomware gangs. While it has focused on Windows, Linux, and virtual host machines, it looks like the group has developed its first ransomware for Macs.
Discovered by MalwareHunterTeam (via Brett Callow), what seems to be the first ransomware build designed for macOS has surfaced on the web. While it’s not fully clear, it may also be the first time a major ransomware gang is targeting Apple devices.
As a bit of background, LockBit is believed by security analysts to be a Russian-based group as most of the members are Russian-speaking. However, the leader has said he operates out of the US or China.
LockBit has grown as it runs a ransomware-as-a-service (RaaS) operation. That approach means the group lets others use their ransomware – for a price.
It looks like this LockBit ransomware was created for Apple Silicon Macs with the build name being “locker_Apple_M1_64.”
While infosec Twitter account vx-underground mentioned the appearance of this LockBit ransomware for Mac showing up in one place with a date of November 2022, MalwareHunterTeam says they haven’t found any mentions of it online and I found the same, so it appears it may have gone under the radar until now if it was around since last fall.
In any case, MalwareHunterTeam believes this is the first public alert about LockBit going after Apple devices. And with the gang’s RaaS approach, it’s possible we could see an incoming wave of ransomware attacks targeting Macs.
Curiously, while the M1 ransomware build may grab the most attention, a LockBit ransomware build is also showing up for PowerPC Macs.
“They are the most notorious ransomware group, because of sheer volume. And the reason for their success is that the leader is a good businessman,” says Jon DiMaggio, chief security strategist at Analyst1 who has studied LockBit’s operations extensively. “It’s not that he’s got this great leadership capability. They made a point-and-click ransomware that anyone could use, they update their software, they’re constantly looking for user feedback, they care about their user experience, they poach people from rival gangs. He runs it like a business, and because of that, it is very, very attractive to criminals.”
FTC: We use income earning auto affiliate links. More.