The infamous LockBit ransomware gang has developed a version of their malware for macOS devices — the first ever foray into Apple's territory by a major ransomware group.

LockBit is one of the world's most prolific ransomware-as-a-service (RaaS) operations, known for its ivolvement in high-profile attacks, sophisticated malicious offerings, and some grade-A PR.

The first evidence that the gang has been experimenting with macOS was published by the MalwareHunterTeam ransomware repository on April 15. "As much as I can tell," a tweet read, "this is the first Apple's Mac devices-targeting build of LockBit ransomware sample seen ... Also is this a first for the 'big name' gangs?"

Shortly thereafter, vx-underground — a malware research site — added a wrinkle to the story. "It appears we are late to the game," it tweeted. "The macOS variant has been available since November 11th, 2022."

Ransomware for Mac may raise alarm bells, though a closer examination of the binary reveals that it's not quite ready for prime time.

"For now, the impact to the average Mac user in the enterprise is essentially zero," Patrick Wardle, founder of the Objective-See Foundation, tells Dark Reading. He pulled a sample apart in an analysis published April 16.

However, he adds, "I think this should be looked at as a harbinger of things to come. You have a very well funded and motivated, large ransomware group that's saying: 'Hey, we're setting our sights on on macOS.'"

Will Mac users be ready when ransomware finally comes for them?

LockBit on Mac

Saturday's discovery may be best characterized as Windows malware with macOS lipstick.

In unpacking the code, Wardle discovered multiple strings related to Windows artifacts — like autorun.inf, ntuser.dat.log, and so on. The lone component indicating its OS intentions was a variable called "apple_config."

"This is the only instance (I found) of any macOS specific references/customizations," Wardle noted in the analysis, appending that "(The rest of the malware's binary simply looks like Linux code, compiled for macOS)."

There were other signs, too, that the developers hadn't yet completed their project. For example, the code was signed "ad-hoc" — a stand-in for, say, a stolen Apple Developer ID. This could be a placeholder for future RaaS customers, but for now, Wardle explains, "this means if downloaded to a macOS system (i.e. deployed by the attackers) macOS won't let it run."

Suffice it to say: LockBit hasn't breached the Apple dam just yet. But that doesn't mean Mac users can relax.

Ransomware Is Headed for Macs

Never before has one of the big name ransomware outfits — Conti, Clop, Hive, et al — developed ransomware for Mac computers. There may be one reason, above all, for why that is.

"Look at, traditionally, who the targets are for large ransomware attacks. It's the enterprises: hospitals, packaging facilities, these more traditional companies," Wardle points out. "They are generally Windows-based."

Slowly, though, Apple devices have been spreading in enterprise environments. A 2021 survey data from JAMF indicated that Apple's tablets are the go-to choice for businesses, iPhones represent about half of all smartphones in business settings, and the "average penetration" of macOS devices in the enterprise was around 23%, as compared with 17% two years prior.

"The pandemic and the work from home really spurred that," Wardle postulates. "A lot of people have Mac computers. And as the younger generation enters the workforce — they are more comfortable with the Apple ecosystem."

Following from that, he adds, "hackers who are very opportunistic are realizing that a lot of their potential victims are now transitioning, and thus they need to evolve their malicious creations."

So the question may not be whether ransomware groups will jump into macOS, but how soon. "This," Wardle thinks, "is really the million-dollar question."

Are Apple Devices Prepared for Ransomware?

Luckily for Mac users, Apple has anticipated this ransomware D-Day, and has proactively gotten ahead of it. Wardle points to two primary defenses already built into the operating system.

Firstly, he says, "system files are under read-only conditions. So even if ransomware gets root access on a computer, it's still not going to be able to modify those critical files and lock or render the system inoperable."

Second is TCC — short for Transparency, Consent, and Control.

"The idea is that certain directories — for example, the user's document directory, desktop, downloads, their browser folders, and cookies — are actually protected by the operating system," Wardle explains. If ransomware finds its way onto the system, "it's going to run into TCC and it's not going to be able to access the files it wants to encrypt, without either another exploit or getting the user to explicitly approve the access."

There's a caveat to that happy news though. "Apple has done a great job implementing security mechanisms, but," Wardle warns, "these features haven't been really tried and tested yet. Maybe hackers will start poking and find some flaws. TCC, for example, has been riddled with bypasses basically since day one."

"It would be naive to think that the attackers aren't going to improve their techniques and create more effective ransomware," he concludes. "So, I think it's really great to be talking about this now."