The LockBit ransomware gang has created encryptors focusing on Macs for the primary time, seemingly turning into the primary main ransomware operation to ever particularly goal macOS.

The brand new ransomware encryptors have been found by cybersecurity researcher MalwareHunterTeam who discovered a ZIP archive on VirusTotal that contained what seems to be all the obtainable LockBit encryptors.

Traditionally, the LockBit operation makes use of encryptors designed for assaults on Home windows, Linux, and VMware ESXi servers. Nevertheless, as proven beneath, this archive [VirusTotal] additionally contained beforehand unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs.

These encryptors additionally embrace one named ‘locker_Apple_M1_64’ [VirusTotal] that targets the newer Macs working on the M1 Processor. The archive additionally incorporates lockers for PowerPC CPUs, which older Macs use.

Additional analysis by cybersecurity researcher Florian Roth discovered an Apple M1 encryptor uploaded to VirusTotal in December 2022, indicating that these samples have been floating round for a while.

Doubtless take a look at builds

BleepingComputer analyzed the strings within the LockBit encryptor for Apple M1 and located strings which are misplaced in a macOS encryptor, indicating that these have been seemingly haphazardly thrown collectively in a take a look at.

For instance, there are quite a few references to VMware ESXi, which is misplaced in an Apple M1 encryptor, as VMare introduced they might not be supporting the CPU architecture.

_check_esxi
esxi_
_Esxi
_kill_esxi_1
_kill_esxi_2
_kill_esxi_3
_kill_processes
_kill_processes_Esxi
_killed_force_vm_id
_listvms
_esxcfg_scsidevs1
_esxcfg_scsidevs2
_esxcfg_scsidevs3
_esxi_disable
_esxi_enable

Moreover, the encryptor incorporates a listing of sixty-five file extensions and filenames that might be excluded from encryption, all of them being Home windows file extensions and folders.

A small snippet of the Home windows recordsdata the Apple M1 encryptor won’t encrypt is listed beneath, all misplaced on a macOS machine.

.exe
.bat
.dll
msstyles
gadget
winmd
ntldr
ntuser.dat.log
bootsect.bak
autorun.inf
thumbs.db
iconcache.db

Virtually all the ESXi and Home windows strings are additionally current within the MIPs and FreeBSD encryptors, indicating that they use a shared codebase.

The excellent news is that these encryptors are seemingly not prepared for deployment in precise assaults towards macOS units.

Cisco Talos researcher Azim Khodjibaev advised BleepingComputer that primarily based on their analysis, the encryptors have been meant as a take a look at and have been by no means meant for deployment in reside cyberattacks.

Whereas Home windows has been probably the most focused working system in ransomware assaults, nothing prevents builders from creating ransomware that targets Macs.

The truth that they’re being examined signifies that extra superior and optimized encryptors for these CPU architectures may come sooner or later.

Subsequently, all laptop customers, together with Mac homeowners, ought to apply good on-line security habits, together with preserving the working system up to date, avoiding opening unknown attachments and executables, and utilizing robust and distinctive passwords at each web site you go to.