LockBit, known for the effective evolution of its tactics, has again modified its variant. In one instance, the ransomware strain was seen targeting Mac devices — the first of its kind for a major ransomware operation.Patrick Wardle, founder of nonprofit ObjectiveSee, was first to spot a Twitter post from MalwareHunter, which revealed a potential LockBit ransomware sample targeting MacOS. The ransomware binary was initially undetected by traditional anti-virus tools, but has since begun catching the malicious files.However, Wardle was quick to point out that while the fresh LockBit sample can indeed run on Apple products, “it’s basically the extent of its impact.” As noted, “The codesign utility shows that though it’s signed, it’s signed 'ad-hoc' (say vs. an Apple Developer ID).”“This means if downloaded to a macOS system, i.e. deployed by the attackers, macOS won’t let it run,” Wardle explained. “This is confirmed by the spctl utility which shows ‘invalid signature.’”The sample also suggests that it was initially designed to run on Windows. In fact, several sample strings contained nothing that specifically related to MacOS, which may mean the “code is simply a recompile of LockBit ransomware that targets Windows, Linux, and also VMWare ESXi.So while it’s notable that a LockBit sample has been found targeting MacOS, it’s unlikely the current variant will impact the average user, Wardle stressed. What’s important is to maintain ongoing conversations about detection and prevention of these kinds of threats.
Ransomware, Malware, Threat Management
New LockBit variant targets MacOS, another relies on Conti source code

A screen image of the ransom by the LockBit ransomware group. (Image provided by Recorded Future)
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



