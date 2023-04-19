The cybercriminals behind theoperation LockBit ransomware developers have developed new tools that can encrypt files on devices running Apple’s macOS operating system.

Lockbit, where does this ransomware come from

The news was reported by the MalwareHunter team last weekend, and it appears to be the first time such a ransomware team has created a macOS-based payload; additional samples identified by vx-underground show that the macOS variant has been available since November 11, 2022 and has managed to escape the detection of anti-malware engines until now.

LockBit, as well as the name of this ransomware, is a team of cybercriminals with ties to Russia, active since late 2019, with criminals releasing two major updates to the locker in 2021 and 2022; according to statistics released by Malwarebytes last week, LockBit emerged as the second most used ransomware in March 2023 after Cl0p, accounting for 93% of successful attacks.

An analysis of the new macOS version (“locker_Apple_M1_64”) shows that it is still under development, as it relies on an invalid signature to sign the executable; this also means that Apple’s Gatekeeper guards prevent the ransomware from running, even if it is downloaded and launched on a device.

The payload, according to security researcher Patrick Wardle, contains files such as autorun.inf And ntuser.dat.logwhich suggests that the sample of ransomware was originally designed to attack Windows.

Wardle has stated that while the malware can run on Apple Silicon, that’s pretty much the only impact it can have, so macOS users have nothing to worry about, at least for now.

Wardle also pointed out additional safeguards implemented by Apple, such as System Integrity Protection (SIP) and Transparency, Consent and Control (TCC), which prevent the execution of unauthorized code e require apps to ask users for permission to access protected files and data.

“This means that without exploitation or explicit user approval, users’ files will remain protectedWardle pointed out. “However, an extra layer of detection/protection may be required.”

The results, despite the tools’ general problems, are a definite sign that cybercriminals are increasingly targeting macOS systems. A LockBit representative has confirmed to Bleeping Computer that the macOS encryptor is “actively under development,” indicating that the malware could pose a serious threat to the platform.

How to defend yourself against Lockbit and ransomware in general?

In conclusion, the emergence of a ransomware like LockBit on macOS devices represents a challenge for the cybersecurity of the platform.

However, macOS users can still rely on the safeguards implemented by Apple to protect their data and files.

Despite this, the results of the analysis indicate that cybercriminals are becoming more sophisticated and targeted in their activity, so it is important that users adopt good cybersecurity practices and use reliable security solutions to protect their devices.

Also remember the golden rule that there is no ransomware attack, because in the vast majority of cases ransomware attacks are deceptive emails that send equally deceptive files that infect your PC with all sorts of threats, and don’t believe you are safe just because you use a Mac: whether you use Windows, Linux or Mac you must always be careful when you browse and download attachments from emails.