For the first time, a prominent ransomware group appears to be actively targeting macOS computers. Discovered last weekend by MalwareHunterTeam, the code sample suggests that the Russia-based LockBit gang is working on a version of its malware that would encrypt files on Mac devices.
Small businesses, large enterprises, and government institutions are frequently the target of ransomware attacks. Hackers often use phishing emails to send real-seeming messages to try to trick staff into downloading the ransomware payload. Once it’s in, the malware spreads around any computer systems, automatically encrypting user files and preventing the organization from operating until a ransom is paid—usually in crypto currencies like Bitcoin.
Over the past few years, ransomware attacks have disrupted fuel pipelines, schools, hospitals, cloud providers, and countless other businesses. LockBit has been responsible for hundreds of these attacks, and in the past six months has brought down the UK’s Royal Mail international shipping service and disrupted operations in a Canadian children’s hospital over the Christmas period.
Up until now, these ransomware attacks mostly targeted Windows, Linux, and other enterprise operating systems. While Apple computers are popular with consumers, they aren’t as commonly used in the kind of businesses and other deep-pocketed organizations that ransomware gangs typically go after.
MalwareHunterTeam, an independent group of security researchers, only discovered the Mac encryptors recently, but they have apparently been present on malware-tracking site VirusTotal since November last year. One encryptor targets Apple Macs with the newer M1 chips, while another targets those with Power PC CPUs, which were all developed before 2006. Presumably, there is a third encryptor somewhere that targets Intel-based Macs, although it doesn’t appear to be in the VirusTotal repository.
Fortunately, when BleepingComputer assessed the Apple M1 encryptor, it found a fairly half-baked bit of malware. There were lots of code fragments that they said “are out of place in a macOS encryptor.” It concluded that the encryptor was “likely haphazardly thrown together in a test.”
In a deep dive into the M1 encryptor, security researcher Patrick Wardle discovered much the same thing. He found that the code was incomplete, buggy, and missing the features necessary to actually encrypt files on a Mac. In fact, since it wasn’t signed with an Apple Developer ID, it wouldn’t even run in its present state. According to Wardle, “the average macOS user is unlikely to be impacted by this LockBit macOS sample” but that a “large ransomware gang has apparently set its sights on macOS, should give us pause for concern and also catalyze conversions about detecting and preventing this (and future) samples in the first place!”
Apple has also preemptively implemented a number of security features that mitigate the risks from ransomware attacks. According to Wardle, operating system-level files are protected by both System Integrity Protection and read-only system volumes. This makes it hard for ransomware to do much to disrupt how macOS works even if it does end up on your computer. Similarly, Apple protects directories such as the Desktop, Documents, and other folders, so the ransomware wouldn’t be able to encrypt them without user approval or an exploit. This doesn’t mean it’s impossible that ransomware could work on a Mac, but it certainly won’t be easy on those that are kept up-to-date with the latest security features.
Still, the fact that a large hacking group is seemingly targeting Macs is still a big deal—and it’s a reminder that whatever reputation Apple has for developing more secure devices is constantly being put to the test. When BleepingComputer contacted LockBitSupp, the public face of LockBit, the group confirmed that a Mac encryptor is “actively being developed.” While the ransomware won’t do much in its present state, you should always keep your Mac up-to-date—and be careful with any suspicious files you download from the internet.