The notorious LockBit ransomware group has created a version of their software for macOS systems, marking the first time a significant ransomware group has entered Apple’s area.
One of the most widespread ransomware-as-a-service (RaaS) operations, LockBit is renowned for its involvement in well-publicized attacks, complex harmful products, and some stellar PR.
The MalwareHunterTeam ransomware repository released the first proof that the group has been testing with macOS on April 15. As far as I can tell, this is the first LockBit ransomware strain that targets Apple’s Mac devices that have been spotted, according to a tweet. Does this represent a first for the ‘big name’ gangs?
A short while later, the narrative took on a new twist thanks to the malware research website vx-underground. It tweeted, “It seems we are late to the game.” Since November 11, 2022, the macOS version has been accessible.
Even though ransomware for Mac may raise a red flag, a closer examination of the binary reveals that it is not yet ready for widespread use.
According to Patrick Wardle, founder of the Objective-See Foundation, “For now, the impact to the average Mac user in the enterprise is essentially zero.”
In a study released on April 16, he dissected a sample. However, he goes on, “I believe this should be taken as a warning of things to come. ‘Hey, we’re putting our sights on macOS,’ is what a major ransomware gang that is well-funded and determined is declaring.
When ransomware eventually targets Mac users, will they be prepared?
LockBit on the Mac:-
The discovery on Saturday might be described as Windows spyware wearing macOS lipstick.
Wardle found several strings connected to Windows artifacts during the code’s unpacking process, including autorun. inf, ntuser.dat.log, and others. The sole element that revealed its OS aspirations was a variable called “apple_config.”
The research by Wardle stated, “This is the only instance (I found) of any macOS specific references/customizations,” adding, “(The rest of the malware’s binary simply looks like Linux code, compiled for macOS).”
There were other indications that the project’s developers weren’t yet finished. The code, for instance, was “ad-hoc” signed, which may have been a substitute for a fake Apple Developer ID. This may serve as a placeholder for future RaaS clients, but for the time being, according to Wardle, “this means if downloaded to a macOS system ( deployed by the attackers ).
Enough said, LockBit hasn’t yet broken through Apple’s defenses. But that does not imply that Mac users can unwind.
Ransomware is headed for Macs:-
One of well-known ransomware companies, such as Conti, Clop, Hive, and others, has never before created malware for Mac computers. There might be one factor that accounts for this in particular.
Look at the typical individuals and organizations that receive big ransomware attacks. The enterprises, according to Wardle, are hospitals, packing plants, and other more reputable companies. They typically run on Windows.
Apple devices are, nevertheless, increasingly being used in business settings. Apple tablets are the most popular choice for businesses, iPhones make up more than half of all smartphones used in these environments, and the “average penetration” of macOS devices in the enterprise increased to about 23% in 2021 from 17% in 2020, according to survey data from JAMF.
That was prompted by both the epidemic and working from home. Many folks own Mac computers. Younger generations are more accustomed to the Apple environment when they enter the workforce.
Thus, he explains, “Hackers that are very opportunistic recognize that a lot of their possible victims are now adjusting, and as a result, they must adapt their malicious creations.”
Can Ransomware Infect Apple Devices?
Apple proactively moved ahead of this ransomware D-Day, which is fortunately for Mac users. Wardle cites two fundamental defenses that are already included in the operating system.
First, he asserts that “system files are in read-only mode.” Therefore, even if ransomware has root access to a computer, it won’t be able to change those crucial files and lock or disable the machine.
TCC, which stands for transparency, consent, and control, comes in second.
As stated by Wardle, “the theory is that some directories, like the user’s document directory, desktop, downloads, their browser folders, and cookies, are actually protected by the operating system.”
The researchers state that if ransomware is able to gain access to the system, “it will run into TCC and it will not be able to access the files it wants to encrypt, without either another exploit or getting the user to explicitly approve the access.”
It would be stupid to believe that the attackers won’t advance their methods and produce more powerful ransomware, he said. So, I believe it’s excellent that we are discussing this now.
[Source: darkreading.com]
