LockBit Ransomware Samples For Apple Macs Hint At New Risks For MacOS Users (wired.com) 20
An anonymous reader writes: Security researchers are examining newly discovered Mac ransomware samples from the notorious gang LockBit, marking the first known example of a prominent ransomware group toying with macOS versions of its malware. Spotted by MalwareHunterTeam, the samples of ransomware encryptors seem to have first cropped up in the malware analysis repository VirusTotal in November and December 2022, but went unnoticed until yesterday. LockBit seems to have created both a version of the encryptor targeting newer Macs running Apple processors and older Macs that ran on Apple's PowerPC chips.
Researchers say the LockBit Mac ransomware appears to be more of a first foray than anything that's fully functional and ready to be used. But the tinkering could indicate future plans, especially given that more businesses and institutions have been incorporating Macs, which could make it more appealing for ransomware attackers to invest time and resources so they can target Apple computers. "It's unsurprising but concerning that a large and successful ransomware group has now set their sights on macOS," says longtime Mac security researcher and Objective-See Foundation founder Patrick Wardle. "It would be naive to assume that LockBit won't improve and iterate on this ransomware, potentially creating a more effective and destructive version."
For now, Wardle notes that LockBit's macOS encryptors seem to be in a very early phase and still have fundamental development issues like crashing on launch. And to create truly effective attack tools, LockBit will need to figure out how to circumvent macOS protections, including validity checks that Apple has added in recent years for running new software on Macs. "In some sense, Apple is ahead of the threat, as recent versions of macOS ship with a myriad of built-in security mechanisms aimed to directly thwart, or at least reduce the impact of, ransomware attacks," Wardle says. "However, well-funded ransomware groups will continue to evolve their malicious creations."
Researchers say the LockBit Mac ransomware appears to be more of a first foray than anything that's fully functional and ready to be used. But the tinkering could indicate future plans, especially given that more businesses and institutions have been incorporating Macs, which could make it more appealing for ransomware attackers to invest time and resources so they can target Apple computers. "It's unsurprising but concerning that a large and successful ransomware group has now set their sights on macOS," says longtime Mac security researcher and Objective-See Foundation founder Patrick Wardle. "It would be naive to assume that LockBit won't improve and iterate on this ransomware, potentially creating a more effective and destructive version."
For now, Wardle notes that LockBit's macOS encryptors seem to be in a very early phase and still have fundamental development issues like crashing on launch. And to create truly effective attack tools, LockBit will need to figure out how to circumvent macOS protections, including validity checks that Apple has added in recent years for running new software on Macs. "In some sense, Apple is ahead of the threat, as recent versions of macOS ship with a myriad of built-in security mechanisms aimed to directly thwart, or at least reduce the impact of, ransomware attacks," Wardle says. "However, well-funded ransomware groups will continue to evolve their malicious creations."
PowerPC? (Score:1)
Re: (Score:2)
The /. article notes that the malware targets both Apple Silicon, then also PowerPC. Is that right? Or did they mean Intel?
Nothing like going retro - the PowerMac G5 is only around 20 years old.
Clearly, they should go full on retro and write stuff for the Motorola 68000 series
(And maybe Intel isn't mentioned because they already have Intel versions - ransomware works by subverting whatever OS is in place, so whether it is MacOS, Windows or Linux matters less once the ransomware part is written)
Re: (Score:2)
That's what the original WIRED article mentions. I would guess they didn't mean PPC and rather Intel, as you suggested. The number of folks using old PPC Macs is so small at this point that it wouldn't be worth the investment in developing.
Re: (Score:2)
It only takes on mission-critical industrial system to get exploited for the bitcoin transaction to happen fast.
"Ha!" You think, "That doesn't exist!" is just plain wrong. The numbers of those machines are small, but that's the whole point, isn't it? Exploit where it hurts?
Re: (Score:2)
How many mission-critical systems were run on Mac? Much less ones made more than 16 years ago and running PowerPC chips?
Are you honestly arguing that this ransomware group decided to focus on machines made 1994 - 2006 and 2020 - today, but decided to completely ignore those from 2006 - 2020? They decided to ignore by far the most common Mac processor architecture out there, Intel. Or do you think it's more likely that the writer of the article just made a mistake and wrote "PowerPC" when they meant "Intel"?
Re: (Score:2)
When fishing, you choose the bait for the fish you wish to catch. Or you just throw out a huge net and hoover up everything that gets stuck in it.
Maybe the market for vulnerable Intel HW is just flooded or tapped out? Or sufficiently protected?
Re: PowerPC? (Score:2)
No they meant m68k
Re: (Score:1)
Intel? (Score:2)
"created both a version of the encryptor targeting newer Macs running Apple processors and older Macs that ran on Apple's PowerPC chips"
Did they forget to target Intel x86?
Linux's football got Lucy'd again (Score:1)
It's the Year of the Mac?
Re: (Score:2)
Is that like how Apple had the first smart phone? and the first mp3 player? perhaps the authors need to research a little better.
If you mean the average Slashdotter keeps falsely attributing stuff to Apple that they never said... then yes. Or at least it will be yes if you are able to identify another mac-targeted ransomeware group that existed sooner. Have you done that part of your homework yet?
Re: (Score:2)
Their use of the word "prominent" leaves them wiggle room. Prior examples were made by groups that weren't "prominent" enough; unless there are examples from the same group already.
Non Apple PowerPC build (Score:3)
In the Twitter's thread, the image that lists the malware build [twimg.com] shows Apple M1 and PowerPC among others, but PowerPC is an ELF binary, hence it does not targets MacOSX, which uses Mach-O.
The economic rationale of investing on a MacOSX/PowerPC malware is not obvious today, but after all they even target FreeBSD. I wonder if they actually have a 0day stock to get the malware running on such exotic platforms.
Re: (Score:2)
In the Twitter's thread, the image that lists the malware build [twimg.com] shows Apple M1 and PowerPC among others, but PowerPC is an ELF binary, hence it does not targets MacOSX, which uses Mach-O.
Oh no! The one MkLinux box left in the world that's still running is doomed! (No, seriously, I shut it down a decade ago. Sorry. Better luck next time.)
Ban Cryptocurrency, Starve Ransomware Overnight (Score:2)
It's just as simple as that.
Hmm... (Score:3)
To some extent, writing something that can encrypt files and compile it on Apple Silicon isn't really that impressive. It's not actually that hard to use the tools already on my mac to zip up my entire home directory and encrypt it in some way.
What *is* hard is getting it to run on my Mac at all. I'm not immune from the odd mistaken click or even approval of additional privileges, but that's always in the context of doing something that makes me expect to do so (eg. installing something). As such, unless this malware is a rider along with something legit looking that I want, I'm at a loss how it's going to get on my Mac. That is unless there's some sort of network based attack that circumvents the firewall, or one-click-and-you're-doomed type of zero-day, but that seems unlikely.
Since all the analysis I've read so far as "this be of no concern to Mac owners right now", I'm left wondering just what it is that's so amazing about this. If there is some means to "deliver" it to a large number of Macs, then I'd like to know what it is...
Re: (Score:2)
To some extent, writing something that can encrypt files and compile it on Apple Silicon isn't really that impressive. It's not actually that hard to use the tools already on my mac to zip up my entire home directory and encrypt it in some way.
What *is* hard is getting it to run on my Mac at all. I'm not immune from the odd mistaken click or even approval of additional privileges, but that's always in the context of doing something that makes me expect to do so (eg. installing something). As such, unless this malware is a rider along with something legit looking that I want, I'm at a loss how it's going to get on my Mac. That is unless there's some sort of network based attack that circumvents the firewall, or one-click-and-you're-doomed type of zero-day, but that seems unlikely.
Since all the analysis I've read so far as "this be of no concern to Mac owners right now", I'm left wondering just what it is that's so amazing about this. If there is some means to "deliver" it to a large number of Macs, then I'd like to know what it is...
Indeed.
Either they can forge a Notarized Application, in which case Apple just blacklists that Developer; or they make the Normies go through the hoops to Install an Untrusted Application from an Unknown Developer. No other ways, without piggybacking on something else. Speed of Infection: Glacial.
duh ? (Score:2)
So it crashs on launch and doesn't circumvent any protections.
In other words, it doesn't have the main feature of software (you know, to actually run) nor the main feature of malware (to circumvent security).
So what, exactly, did they find? Someone wrote a piece of code that - after some bugfixing - could encrypt files? Half of the /. crowd could write that in a lazy afternoon. What's the news? That some ransomware actor thought that macOS people have money, too, and gave it a half-assed try to write malwar