What just happened? Ransomware and other malware targeting Macs aren't unheard of, but one of Apple's biggest selling points is that hackers don't penetrate their systems nearly as much as Windows. This may change, as a major ransomware group confirmed it's developing an encryptor specifically for Apple Silicon.
Security researcher MalwareHunterTeam recently discovered what appears to be a version of LockBit ransomware targeting Apple M1 systems. Evidence suggests it doesn't work yet and is still quite early, but the ransomware gang says it's in active development.
The listing describing the M1 appeared in an archive on VirusTotal containing various versions of LockBit. LockBit mostly targets Windows, Linux, and VMware ESXi servers, but the archive contained versions labeled for macOS, Arm, PowerPC, and other kinds of processors. The Apple version was first uploaded last December.
Bleeping Computer analysis suggests the Apple Silicon ransomware isn't ready for deployment, as it still contains code from the Windows and VMware versions. Mac security expert Patrick Wardle told the outlet the encryptor currently doesn't work at all on macOS.
"locker_Apple_M1_64": 3e4bbd21756ae30c24ff7d6942656be024139f8180b7bddd4e5c62a9dfbd8c79
– MalwareHunterTeam (@malwrhunterteam) April 15, 2023
As much as I can tell, this is the first Apple's Mac devices targeting build of LockBit ransomware sample seen...
Also is this a first for the "big name" gangs?
�"@patrickwardle
cc @cyb3rops pic.twitter.com/SMuN3Rmodl
Apple users are probably fine for now, but a LockBit spokesperson confirmed to Bleeping Computer that the group is actively developing the Mac-targeting ransomware. Ransomware primarily targets Windows and Linux because more enterprise systems use them, but Mac encryptors could still threaten individual users and small businesses. In any case, users of any computer system should maintain best practices, like keeping software updated, avoiding suspicious software, backing up files, and using strong passwords.
Last year, an analysis revealed LockBit's Windows ransomware was the fastest of the major encryptors, locking up 53GB of data in just over four minutes. Last June, a group using LockBit 2.0 attacked the Foxconn factory in Tijuana. In December, a LockBit affiliate hit a children's hospital in Canada, but the main group later apologized and released a free decryptor, saying the partner acted against its rules.
The rarity of Mac ransomware doesn't make Apple immune from hacker groups, however. In 2021, the REvil ransomware gang successfully attacked Apple supplier Quanta, stealing information on the Cupertino giant's products. When Quanta refused to pay the $50 million ransom, REvil turned to Apple, threatening to publish information about a then-upcoming MacBook Pro.
