LockBit Ransomware Group Now Targets macOS


April 18, 2023

World map

Researchers report the discovery of what may be the first iteration of macOS ransomware that is assessed to have emerged as early as November of 2022 and is undetected by antimalware engines on VirusTotal.  

“Apple security expert Patrick Wardle has conducted an analysis of the macOS version of LockBit and found that while it can run on Macs and it is capable of encrypting files, it currently doesn’t pose any real risk,” Security Week reported.

“While this may be the first time a large ransomware group created ransomware capable of running on macOS, it’s worth noting that this sample is far from ready for prime time. From its lack of a valid code-signing signature to its ignorance of TCC and other macOS file-system protections as it stands it poses no threat to macOS users,” Wardle explained.

Takeaway: While Windows is still the most common operating system, with about 60% of the desktop market, MacOS has been gaining in popularity with about a 30% share, with Linux having about 3%. It has been assumed that MacOS is more secure because there are less malware-related threats in the wild, but the case is that attackers have focused on Windows because they have ROI to think about in their operations as well – it's a numbers game.

We have already seen some major ransomware operators like Conti, LockBit, RansomEXX, REvil and Hive developing Linux strains, as well as lesser known and emerging threat actors like Black Basta, IceFire, HelloKitty, BlackMatter and AvosLocker adding Linux capabilities, to name a few.

The development of macOS ransomware strains increases the addressable target range for threat actors and the level of disruption they can bring in a ransomware attack. Ransomware also creates liability and intellectual property loss issues for organizations as attackers focus on the exfiltration of sensitive data prior to delivering the ransomware payload:

  • Ransomware Attacks are Stealthy: On average, a ransomware attack took 237 days to detect (about eight months) and 89 days to fully remediate (about three months) – this is when they are exfiltrating data for double extortion.
  • Ransomware Remediation is Costly: The average ransomware attack response cost $4.54 million, more than the average cost of a data breach at $4.35 million – this represents an existential threat to organizations.
  • Collective Business Impact is Huge: Ransom payments, damage to brand, increased premiums, legal fees, and lost revenue can far exceed remediation costs – this is why the focus needs to be on prevention and resilience.

Current solutions available in the market, while robust and effective for some threats, do not fully protect against ransomware attacks because they were built to detect malware variants in general, but were simply not designed to recognize ransomware. Basic security hygiene is not enough though. Most attacks start at the endpoint, so endpoint security and resiliency are essential.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.