Related Families: LockBit
Executive Summary
Industry researchers recently discovered a LockBit variant targeting MacOS. While the variant is presently ineffective at encrypting a user’s files, this variant serves as evidence that big-name ransomware groups have their sights set on expanding their repertoire to target MacOS devices.
Key Takeaways
- A variant of LockBit targeting MacOS was recently discovered.
- The code appears to have been recycled from a previous LockBit variant and was ported over to MacOS.
- At this time, the ransomware does not successfully encrypt a user’s files due to MacOS system protections that prevent the code from running.
What is the LockBit MacOS Variant?
Security researcher Patrick Wardle recently posted an analysis of a LockBit variant built to target MacOS. The first known mention of the LockBit MacOS variant was a tweet by MalwareHunterTeam. They noted this is the first time LockBit was observed targeting MacOS and the first time a “big name” ransomware gang has targeted MacOS systems.
The LockBit MacOS variant analyzed was a 64-bit arm64 Mach-O. The threat actors attempted to include anti-debugging logic, meant to kill the process if a debugger is attached. Wardle was able to bypass this to analyze the malware. He pointed out the code appeared to have originally been written for Windows and/or Linux and was ported over to MacOS. While the code contains the apple_config variable, it is the only instance of MacOS-specific references in the code. The rest of the binary code was Linux code.
Wardle was able to discover the ransomware’s global values and extract the ransom note. Wardle manually triggered the ransomware during analysis to observe the encryption process. He noted the ransomware was able to encrypt the specified directory successfully. It also dropped the ransom note file. The ransom note refers to LockBit 3.0 and contains a ransom message similar to previous versions of LockBit.
Wardle noted the LockBit MacOS variant can run on Apple Silicon but is not presently an imminent threat. The code was signed without an Apple Developer ID, meaning MacOS systems will not automatically run the code. Additionally, the operating system generates a popup to warn the user the code has an invalid signature, and the system will not open the file.
In 2023, PolySwarm analysts have seen an increase in the amount of malware developed to target MacOS and Linux devices, including MacOS and Linux variants of previously existing malware families. MacOS users often have a false sense of security, as MacOS has not been targeted by malware as heavily as Windows in the past.
Threat actors have been less likely to target MacOS devices since most enterprises are more heavily reliant on Windows and Linux systems. Additionally, MacOS has multiple built-in security features, including XProtect, a built-in antivirus software, and Gatekeeper, a feature meant to prevent users from installing malware or suspicious programs by verifying downloaded apps.
MacOS built-in protections, unless bypassed, may effectively safeguard systems against total destruction via ransomware. Mac system files are read-only, meaning ransomware cannot modify critical files or completely disable the system. MacOS has also implemented Transparency, Consent, and Control (TCC), meaning the operating system protects specific directories, such as Documents, Desktop, Downloads, browser folders, and cookies. Barring user interaction or an exploit chain with additional exploits to bypass TCC, ransomware would be unable to access these directories. Still, it may only be a matter of time before a ransomware group creates a variant to bypass these protections and successfully victimize Mac users.
IOCs
PolySwarm has a sample of the LockBit MacOS variant.
3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79
You can use the following CLI command to search for all LockBit samples in our portal:
$ polyswarm link list -f LockBit
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports