LockBit ransomware encryptors discovered focusing on Mac gadgets


The LockBit ransomware gang has created encryptors focusing on Macs for the primary time, doubtless turning into the primary main ransomware operation to ever particularly goal macOS.

The brand new ransomware encryptors have been found by cybersecurity researcher MalwareHunterTeam who discovered a ZIP archive on VirusTotal that contained what seems to be many of the out there LockBit encryptors.

Traditionally, the LockBit operation makes use of encryptors designed for assaults on Home windows, Linux, and VMware ESXi servers. Nonetheless, as proven under, this archive [VirusTotal] additionally contained beforehand unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs.

Archive of available LockBit encryptors
Archive of obtainable LockBit encryptors
Supply: BleepingComputer

These encryptors additionally embrace one named ‘locker_Apple_M1_64’ [VirusTotal] that targets the newer Macs working on Apple Silicon. The archive additionally accommodates lockers for PowerPC CPUs, which older Macs use.

Additional analysis by cybersecurity researcher Florian Roth discovered an Apple M1 encryptor uploaded to VirusTotal in December 2022, indicating that these samples have been floating round for a while.

Probably check builds

BleepingComputer analyzed the strings within the LockBit encryptor for Apple M1 and located strings which are misplaced in a macOS encryptor, indicating that these have been doubtless haphazardly thrown collectively in a check.

For instance, there are quite a few references to VMware ESXi, which is misplaced in an Apple M1 encryptor, as VMare introduced they’d not be supporting the CPU structure.

_check_esxi
esxi_
_Esxi
_kill_esxi_1
_kill_esxi_2
_kill_esxi_3
_kill_processes
_kill_processes_Esxi
_killed_force_vm_id
_listvms
_esxcfg_scsidevs1
_esxcfg_scsidevs2
_esxcfg_scsidevs3
_esxi_disable
_esxi_enable

Moreover, the encryptor accommodates an inventory of sixty-five file extensions and filenames that will probably be excluded from encryption, all of them being Home windows file extensions and folders.

A small snippet of the Home windows information the Apple M1 encryptor won’t encrypt is listed under, all misplaced on a macOS machine.

.exe
.bat
.dll
msstyles
gadget
winmd
ntldr
ntuser.dat.log
bootsect.bak
autorun.inf
thumbs.db
iconcache.db

Virtually the entire ESXi and Home windows strings are additionally current within the MIPs and FreeBSD encryptors, indicating that they use a shared codebase.

The excellent news is that these encryptors are doubtless not prepared for deployment in precise assaults in opposition to macOS gadgets.

Cisco Talos researcher Azim Khodjibaev advised BleepingComputer that based mostly on their analysis, the encryptors have been meant as a check and have been by no means supposed for deployment in stay cyberattacks.

Whereas Home windows has been probably the most focused working system in ransomware assaults, nothing prevents builders from creating ransomware that targets Macs.

The truth that they’re being examined signifies that extra superior and optimized encryptors for these CPU architectures may come sooner or later.

Subsequently, all pc customers, together with Mac house owners, ought to observe good on-line security habits, together with protecting the working system up to date, avoiding opening unknown attachments and executables, and utilizing sturdy and distinctive passwords at each web site you go to.



Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles