Cybersecurity researchers have discovered that hackers from the LockBit 3.0 group are currently testing methods to reach devices running MacOS with their ransomware.
The tool does not seem to be fully compatible yet, but it could only be a matter of time.
LockBit on the way to macOS
For the first time since the appearance of the Russian-speaking group LockBit, LockBit encryption files have been spotted on macOS devices. This seems to indicate that a major operation is in the works, but MalwareHunterTeam researchers remain cautious. The discovery of the latter was made on the site VirusTotalwhich contains a ZIP archive containing most of the existing LockBit encryption keys.
Until now, these keys were typically deployed on Windows, VMware ESXI, and Linux servers, but it looks like new keys are looking to target ARM, macOS, MIPS, SPARC, and FreeBSD processors. The discoveries do not stop there, since researcher Florian Roth has flushed out an encryption key dating from December 2022, allowing the Apple M1 to be targeted. Nevertheless, Bleeping Computer indicates that some strings are not in their place in the files, and that this seems to correspond to test phases.
A theory confirmed by Cisco researchers Talos and Patrick Wardle, who add that these macOS versions are far from functional, and that they crash when activated. However, the threat is taken seriously and the next actions of the LockBit group will have to be carefully monitored. The latter has also confirmed to our colleagues that a macOS version of his ransomware was currently in the active development phase.
Clinics, companies, LockBit is talked about
The group of hackers LockBit has been talked about a lot in recent years, in particular by targeting the French Ministry of Justice as well as the southern Ile-de-France hospital center in August 2022. Last November, it notably claimed responsibility for the attack on the company Thales, before putting online a 9.5 GB archive containing various data related to the company.
Very recently, he also attacked the BRL group, a specialist in water management in the Occitanie region. Unsurprisingly, LockBit threatens to disseminate the information collected, with however announced limits: last January, it had apologized for an attack targeting the SickKids hospital in Toronto.
The offensive had seriously disrupted the operation of imaging services and the publication of analysis results. LockBit was quick to claim that this attack came from a specific partner, who has since been banned because while stealing patient data is allowed by the group, preventing the execution of care is not. The group then provided a key allowing the hospital’s IT staff to unlock its system.
Sources: Bleeping Computer / Norebbo
3