The Lockbit ransomware gang has been spotted creating encryptors for macOS for the first time. Generally, the group uses encryptors for Windows, Linux and VMware ESXi servers. However, a ZIP archive discovered on VirusTotal by the MalwareHunterTeam that appears to contain most of the available Lockbit encryptors also included previously unknown macOS, ARM, FreeBSD, MIPS and SPARC CPU encryptors.
The encryptors also included one for Apple silicon named ‘locker_Apple_M1_64’. Even older Macs weren’t spared, with the archive having encryptors for PowerPC CPUs used by older Apple devices. There’s no information on how long Lockbit has been working on these samples. However, further research from security researcher Florida Roth found instances of an M1 encryptor uploaded in December 2022, suggesting that Lockbit has been working on these encryptors for some time.
That said, the samples are likely to be test builds and don’t seem to be very threatening at the moment. According to BleepingComputer, the strings included in the Apple M1 encryptor are out of place for a macOS encryptors, indicating that they were quickly put together for a test build. This might indicate that these are supposed to be test builds and aren’t meant for real-world deployment just yet.
Some evidence supporting this theory is the presence of VMware ESXi references, despite VMware announcing that it would not be supporting Apple’s M1 architecture. Additionally, the encryptor includes 65 file extensions and names that are to be excluded from encryption — all of these are Windows file extensions and folders. These strings are also present in the MIPs and FreeBSD encryptors suggesting a shared codebase.
This was then confirmed by Cisco Talos researcher Azim Khodjibaev and macOS cybersecurity expert Patrick Wardle, with both experts saying that the samples are simply test builds and aren’t meant for real-world deployment. Additionally, Wardle also confirmed that when the encryptor is launched on macOS, it crashes due to a buffer overflow bug in its code.
However, Lockbit is one of the most dangerous ransomware groups in the world and is often at the forefront of ransomware development, so it wouldn’t be surprising to see better quality, more robust samples from them in the future. Additionally, a public-facing representative of the group confirmed that the macOS encryptor is actively under development.