LockBit has emerged as one of the most formidable ransomware gangs in recent years, with a primary focus on targeting Windows systems, as well as Linux and virtual host machines. However, recent reports suggest that the group has expanded its operations to include Macs, and has developed its first ransomware variant for this platform. This marks a significant development in the group’s capabilities, as they have previously only targeted non-Apple devices.
Ransomware Giant LockBit Expands to Target Macs
According to reports from MalwareHunterTeam, who were alerted by Brett Callow, the first known ransomware variant specifically designed for macOS has been identified. While the exact details are not yet clear, this appears to be a significant development, as it could potentially represent the first instance of a major ransomware gang targeting Apple devices.
By implementing robust security measures such as keeping software up-to-date, avoiding suspicious links and attachments, and regularly backing up important data, individuals and organizations can help mitigate the risks posed by ransomware and other forms of cybercrime.
The fact that LockBit’s leader claims to be operating out of the US or China while most of its members are Russian-speaking underscores the difficulties that cybersecurity experts face in identifying and responding to the activities of highly sophisticated criminal organizations. Such groups often employ advanced techniques to avoid detection and attribution, making it challenging for law enforcement and other security professionals to track their activities and bring them to justice.
Seems that #LockBit has decided to target #macOS. h/t @malwrhunterteam #ransomwarehttps://t.co/lKRza4ArxK pic.twitter.com/8G66XpojqE
— Brett Callow (@BrettCallow) April 16, 2023
LockBit’s success can be attributed, at least in part, to its adoption of a ransomware-as-a-service (RaaS) business model. By offering their ransomware to other cybercriminals for a fee, the group has been able to rapidly expand its operations and profit from the efforts of others.
The recent emergence of a LockBit ransomware variant specifically designed for Apple Silicon Macs, with the build name “locker_Apple_M1_64,” suggests that the group is continuing to evolve its tactics and broaden its target base, posing an increased threat to users of all types of devices.
Based on available information, there is some confusion around the timeline of the emergence of the LockBit ransomware variant for Apple Silicon Macs. While some sources, such as the vx-underground Twitter account, have indicated that the ransomware first appeared in November 2022, others, such as the MalwareHunterTeam, have been unable to find any mention of it online. This suggests that the ransomware may have flown under the radar until now, highlighting the challenges that cybersecurity professionals face in identifying and responding to emerging threats, particularly when sophisticated cybercriminals are involved.
Not a single person I can find tweeted LockBit has a Mac targeting version before I did above yesterday, nor can find any blog posts mentioning it, etc. So even if the gang had the first build in 2022 November, for public, this is not late at all, but even yet, seems the first… pic.twitter.com/4iR71cuLpo
— MalwareHunterTeam (@malwrhunterteam) April 16, 2023
MalwareHunterTeam’s recent findings regarding the emergence of LockBit ransomware targeting Apple devices may represent the first public alert of such activity by the group. Given LockBit’s ransomware-as-a-service (RaaS) business model, it is possible that this could be a harbinger of future ransomware attacks targeting Macs.
It’s worth noting that while the LockBit ransomware build specifically designed for Apple Silicon Macs has garnered significant attention, reports also indicate that the group has developed a variant of its ransomware that targets PowerPC Macs.
Anyway, the archive in which this sample was included shown bundled date as March 20.
— MalwareHunterTeam (@malwrhunterteam) April 16, 2023
And they even have PowerPC builds…
😂 pic.twitter.com/FRGZv8rtMA
As noted by Jon DiMaggio, chief security strategist at Analyst1, who has studied LockBit’s operations extensively, the group’s success can be attributed in part to its leader’s business acumen. The group has developed a user-friendly point-and-click ransomware tool that is easy for anyone to use, and they regularly update their software based on user feedback. Additionally, they have reportedly poached members from rival gangs and run their operation like a business, which has made it very attractive to other cybercriminals. All of these factors have contributed to LockBit’s notoriety and success as one of the most prolific ransomware groups operating today.