Lock Bit is breaking new ground by specifically aiming its malware at Apple consumers. However, it’s only a warning, so Mac users shouldn’t worry just yet.

The notorious Lock Bit ransomware organisation has created a version of their software for macOS systems, marking the first time a significant ransomware group has entered Apple’s area.

One of the most widespread ransomware-as-a-service (RaaS) operations in the world, Lock Bit is renowned for its involvement in well-publicized assaults, complex harmful products, and some stellar PR.

The Malware Hunter Team ransomware repository released the first proof that the group has been testing with macOS on April 15. As far as I can tell, this is the first Lock Bit ransomware strain that targets Apple’s Mac devices that has been spotted, according to a tweet. Moreover, this first for the ‘big name’ gangs?”

A short while later, the narrative took on a new twist thanks to the malware research website vx-underground. It tweeted, “It seems we are late to the game.” Since November 11, 2022, the macOS version has been accessible.

Even though ransomware for Mac may sound the alarm, a closer look at the binary shows that it’s not quite ready for prime time.

According to Patrick Wardle, creator of the Objective-See Foundation, “for now, the impact to the average Mac user in the enterprise is essentially zero.” In a study released on April 16, he dissected a sample.

But he continues, “I believe this should be viewed as a sign of things to come. You have a sizable ransomware gang that is highly driven, well-funded, and saying: “Hey, we’re setting

our sights on on mac OS. Will Mac users be ready when ransomware finally comes for them?

Lock Bit on Mac

The finding made on Saturday may be best described as Windows spyware wearing macOS lipstick.

Wardle found several strings connected to Windows artefacts during the code’s unpacking process, including autorun.inf, ntuser.dat.log, and others. The sole element that revealed its OS aspirations was a variable named “apple_config.”

The research by Wardle stated, “This is the only instance (I found) of any macOS specific references/customizations,” adding, “(The rest of the malware’s binary simply looks like Linux code, compiled for macOS).”

There were other indications as well that the project hadn’t been finished by the creators. The code was “ad-hoc” signed, which can be a stand-in for, say, a fraudulent Apple Developer ID. For the time being, Wardle notes, “this means if downloaded to a macOS system (i.e. deployed by the attackers) macOS won’t let it run.” This might be a placeholder for future RaaS clients.

It is sufficient to say that LockBit has not yet broken through the Apple dam. However, that doesn’t imply that Mac users can unwind.

Ransomware Is Headed for Macs

One of the well-known ransomware companies, such as Conti, Clop, Hive, and others, has never before created malware for Mac machines. There could be one factor that accounts for this in particular.

“Take a look at who the traditional targets of significant ransomware attacks are. Hospitals, packing plants, and other more established businesses are the enterprises, as Wardle notes. Typically, they run on Windows.

Apple gadgets have, however, been making their way into business settings gradually. According to survey data from JAMF from 2021, companies prefer Apple’s tablets, iPhones account for almost half of all smartphones used in workplaces, and the “average penetration” of macOS devices in the enterprise was approximately 23%, up from 17% two years earlier.

“The pandemic and the work from home really spurred that,” claims Wardle. “Mac computers are used by many individuals. Additionally, the younger generation is increasingly used to the Apple environment when they join the employment.

Consequently, he continues, “hackers who are very opportunistic are realising that a lot of their potential victims are now transitioning, and thus they need to evolve their malicious creations.”

Therefore, the issue may not be if but rather when will ransomware gangs attack macOS. This is the genuine million-dollar question, in Wardle’s opinion.

Are Apple Devices Prepared for Ransomware?

Apple proactively moved ahead of this ransomware D-Day, which is fortunately for Mac users. Wardle cites two fundamental defences that are already included in the operating system.

First of all, “system files are in read-only mode,” he claims. Therefore, even if ransomware has root access to a computer, it won’t be able to change those crucial files and lock or disable the machine.

TCC, which stands for transparency, consent, and control, comes in second.

The theory goes as follows: “The operating system actually protects some directories, like the user’s document directory, desktop, downloads, browser folders, and cookies,” says Wardle. In the event that ransomware gains access to the system, “it will run into TCC and it will not be able to access the files it wants to encrypt, without either another exploit or getting the user to explicitly approve the access,” according to the researchers.

That good news does come with a catch, though. Although Wardle acknowledges that Apple did an excellent job installing security measures, he cautions that these features haven’t yet been put to the test. Perhaps when they start probing, hackers will uncover some holes. For instance, TCC has been practically rife with bypasses from the beginning.

“It would be naive to think that the attackers aren’t going to improve their techniques and create more effective ransomware,” he says in his conclusion. So, I believe it’s fantastic that we’re talking about it now.

Categorized in: