The LockBit ransomware group is focusing its attention on Mac users, with a new variant uncovered in the past week that targets macOS.
Upon further analysis of the macOS-based payload, Apple security researcher Patrick Wardle said that the variant is buggy and is quickly stopped by Apple’s built-in security protections, meaning it is currently not a threat for Mac users. Still, the fact that a prolific ransomware group like LockBit is focusing on Mac users is concerning, he said.
“When LockBit releases this, even if it’s a beta piece of software, I think it’s a harbinger of something coming,” said Wardle. “It would be naive to assume that LockBit is not continuing to iterate on this. Other ransomware groups will probably take notice, because it’s a no-brainer to go after Macs in the enterprise if you’re a ransomware group. It’s just an untapped target.”
Historically, ransomware attackers have favored the Windows platform because it has been more prevalent in the enterprise. From an attacker's perspective, Mac servers are not typically used by organizations for essential services, and creating wormable capabilities that many Windows-based malware families have is “exponentially more difficult on Macs,” said Philip Stokes, a threat researcher with SentinelOne who specializes in macOS threat intelligence.
“Consequently, the return on investment for a ransomware actor in deploying file locking malware on a Mac endpoint is likely to be substantially lower than similar attacks on Windows and Linux servers,” said Stokes in a Tuesday analysis.
“It would be naive to assume that LockBit is not continuing to iterate on this.”
Due to these reasons there have been only a small number of previous ransomware variants created for macOS - such as EvilQuest, MacRansom, FileCoder and KeRanger - and none have been particularly successful.
“While some security vendors have incorrectly made much of it in the past, the reality is that there is no publicly recorded case of any business ever paying a ransom demand as a result of macOS ransomware,” said Stokes. “This is not surprising when you look at the history of attempts to build ransomware on macOS to date.”
Apple’s built-in security mechanisms provide another roadblock for threat actors. While these protections are not foolproof, they succeed in weeding out less complex ransomware variants. Apple’s notarization process, for instance, requires developers to sign their apps and gain Apple’s approval before submitting them to the iOS or macOS app stores. The TCC (Transparency, Consent and Control) feature protects user files across various processes from applications, so if a threat actor does somehow start accessing files the operating system blocks it and alerts the user. Finally, Apple’s core operating system files are on a ReadOnly system volume, meaning that even if ransomware comes in with a remote exploit or is able to bypass notarization, it can’t easily modify files on the operating system.
“Attackers need to take these into account in order to create a successful efficient ransomware targeting macOS,” said Wardle. “It’s not impossible if you look at history as a guide, but it’s good that macOS at least has built in protections that work out of the gate and that can maybe thwart less complex ransomware.”
These protections appear to work against the LockBit ransomware variant. The malware cannot bypass TCC and its codesign utility showed an invalid signature as opposed to a valid Apple Developer ID, for instance, meaning that macOS won’t let it run. Beyond that, the variant appears to be under active development: Its binary looks like Linux code that’s been compiled for macOS, and it contains various bugs, including buffer overflow flaws that cause it to crash on macOS.
“The big takeaway from the current LockBit samples is that they’re absolutely not ready for use.”
“The big takeaway from the current LockBit samples is that they’re absolutely not ready for use,” said Thomas Reed, director of core technology at Malwarebytes. “They have very significant usability challenges, above and beyond the fact that they crash. They seem more like proofs of concept than actual release-quality malware. I don’t think that they offer any credible threats to Mac users in their current state.”
However, the focus on macOS by LockBit - which has established a prominent affiliate program for its ransomware-as-a-service platform over the past three years and has been used by several different threat actors - is cause for concern.
Overall, demand for ransomware that targets macOS devices may be increasing as businesses increasingly adopt macOS devices. The market share of macOS devices used in enterprise settings grew to 23 percent in 2021, according to IDC, likely impacted by more employees working remotely and a new generation entering the workforce. Hackers are recognizing that there’s a decent percentage of potential macOS victims that they currently can’t target, and “they’re trying to change that equation to their favor,” said Wardle.
“Windows is still pretty prolific in the enterprise, especially these more traditional companies,” said Wardle. “I would imagine as you see companies running Windows-based systems finally getting a handle on the ransomware issue, coupled with improvements to later versions of Windows that probably have some built-in security mechanisms, it’s kind of like ‘we’ve rung out the Windows victims, now let’s look to the Mac ones as they increase in popularity in the enterprise.’”