Researchers at MalwareHunterTeam uncovered a ZIP archive on VirusTotal that was found to contain encryptors for devices running macOS.
What is LockBit ransomware?
LockBit is the name of a ransomware targeting Mac Operating Systems (OSes). It is associated with the LockBit ransomware gang – the developers of LockBit, LockBit 2.0, LockBit 3.0, and various other variants. The aforementioned malware target Windows, Linux, and VMware ESXi servers.
The VirusTotal archive examined by researchers was also found to contain encryptors for CPUs used on older Mac devices.
It also contains some targeting PowerPC CPUs commonly used in older Macs.
Previously, the LockBit campaign used encryptors designed for Windows, Linux, and VMware ESXi servers.
A small snippet of the Windows files the Apple M1 encryptor will not encrypt is listed below, all out of place on a macOS device.
.exe .bat .dll msstyles gadget winmd ntldr ntuser.dat.log bootsect.bak autorun.inf thumbs.db iconcache.db
MacOS cybersecurity expert Patrick Wardle further confirmed this theory, stating that the encryptor is far from complete as it is missing the required functionality to encrypt Macs properly. Wardle believes the macOS encryptor is based on the Linux version and compiled for macOS with some basic configuration settings, and that when launched, it crashes due to a buffer overflow bug in its code.
LockBitSupp told Bleeping Computer on Sunday that the group’s Mac encryptor is “actively being developed.”
Whether its macOS tests are anything more than a half-baked experiment or an empty PR move remains unclear.
“In some sense, Apple is ahead of the threat, as recent versions of macOS ship with a myriad of built-in security mechanisms aimed to directly thwart, or at least reduce the impact of, ransomware attacks,” Wardle says.