back to article LockBit crew cooks up half-baked Mac ransomware

LockBit has developed ransomware that can encrypt files on Arm-powered Macs, said to be a first for the prolific cybercrime crew.  Those behind the MalwareHunterTeam Twitter handle spotted the malware, and in a subsequent VirusTotal screenshot, showed that the binary earlier didn't raise any red flags among antivirus or …

  1. t245t Silver badge
    IT Angle

    Attack of the nonexistent Mac ransomware

    “this ransomware strain has been deployed against more than 1,000 organizations .. the software nasty uses an invalid digital signature, which means it won't easily run on Apple's desktop operating system even if it's downloaded to a Mac device ..”

    1. DS999 Silver badge

      Re: Attack of the nonexistent Mac ransomware

      They need a valid developer signature which isn't that hard to get, the problem is that Apple will revoke that signature once it is used for an attack so it will be a cat and mouse game with lockbit crims stealing developer signatures and Apple revoking them.

      Probably makes more sense as a targeted attack that would fly under the radar more - get a signature, get particular target to run the binary and encrypt the files and ask for ransom. There are probably some juicy targets out there using Macs (think Hollywood and Madison Avenue) where the potential cost to them from delays trying to deal with the attack on their own would make it worth a lot of money to get a decryption key and (hopefully!) reduce downtime.

      Though if they have enabled Time Machine they can restore to a point before their files were encrypted, and lose at most a day's work. Which yes, you can do with any properly configured backup software but they'd have to buy it and have configured and operated it properly - and if everyone did that ransomware would never have become a thing!

      1. TKW

        Re: Attack of the nonexistent Mac ransomware

        Of course, there's no reason why Time Machine backups couldn't be subverted on a compromised machine.

        1. DS999 Silver badge

          Re: Attack of the nonexistent Mac ransomware

          How? An organization isn't going to be using a desktop Mac (since Apple doesn't sell servers) for their Time Machine backups, they are almost certainly using some type of NAS. That won't running macOS and thus wouldn't be vulnerable to whatever attack allowed to them to subvert the Mac environment.

          1. JohnSheeran

            Re: Attack of the nonexistent Mac ransomware

            Unless Time Machine is somehow decrypting the data* before it backs it up then it's at risk if they are patient enough to wait until enough backups are infected.

            Not a Mac user generally so I don't know the ins and outs of Time Machine.

          2. Anonymous Coward
            Anonymous Coward

            Re: Attack of the nonexistent Mac ransomware

            That won't running macOS and thus wouldn't be vulnerable to whatever attack allowed to them to subvert the Mac environment.

            You're clearly new to this. Any file an infected platform has access to for read/write can also be rewritten as an encrypted file, irrespective of where it lives, local, cloud, NAS, file server - anywhere. The only way you can prevent older backups from being overwritten is if the resource can be changed to read-only the moment the backup has finished, and that implies it must be external because if it's local storage the OS has the means to undo the read-only status (if the infection sits deep enough, which is admittedly getting harder and harder for MacOS) which renders the whole activity pointless.

      2. Anonymous Coward
        Anonymous Coward

        Re: Attack of the nonexistent Mac ransomware

        Though if they have enabled Time Machine they can restore to a point before their files were encrypted, and lose at most a day's work

        That's not how ransomware works. A ransomware infection will quietly encrypt any backups it can find for a while before it starts encrypting the main machine, so you could be losing even months when it activates, and you will only discover that if you have to access a backup for some reason, otherwise it's a slow poison.

        This means that undetected ransomware can have quite an impact once it has managed to make it onto your machine, and I see it as entirely feasible that ransomware people will try to infect software developers first in an attempt to 'christen" their malware with a valid signature, introducing the code as a trojan.

        The only way to proactively pick up ransomware is by regularly testing your backups (I use both Time Machine and Carbon Copy, separately) and by having tools installed that pick up ransomware behaviour such as the Ransomwhere software by Patrick Wardle's Objective-See non-profit. That said, exercising proper IT hygiene such as only installing software from known locations and with valid signatures will go a long way towards keeping the nasties away from MacOS, ditto for iOS where sideloading is presently near impossible (the attack vector there is more via the few zero day vulnerabilities it has had and trojaned apps).

  2. Furious Reg reader John

    "the 64-bit Arm version, at least" - hadn't realised 128-bit was an option....

    32-bit OS X hasn't been a thing since 2014, so mentioning 64-bit seems a bit unnecessary.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like