LockBit Developing Ransomware for Apple M1 Chips, Embedded Systems

Under construction: The worlds leading ransomware gang is workshopping ransomware for less obvious systems beyond Windows environments. Experts weigh in on how worried we should be.

The LockBit gang
is building ransomware for new architectures, forgoing Windows and potentially posing entirely new problems for their victims along the way.
In a
blog published June 22
, researchers from Kaspersky describe having stumbled on a .ZIP file with a trove of LockBit malware samples inside. The samples appear to have derived from LockBits previous encryptor variations
targeting VMWare ESXi hypervisors
.
The samples targeted FreeBSD and Linux —
a growing trend among ransomware actors
— plus various embedded technologies, including instruction set architecture (ISA) firmware for CPUs, like ARM, MIPS, ESA/390, and PowerPC, as well as
Apple M1, an ARM-based system-on-chip (SoC)
used in Mac and iPad devices.
The samples were clearly a work in progress, Kaspersky noted, since for instance, the macOS sample was unsigned, so it could not be executed as is. Also, the string encryption method was simple: one-byte XOR.
Should they eventually make it to the wild, however, these new ransomware variants could prove useful to LockBit as it tries to stay relevant, says Jason Baker, threat intelligence analyst at GuidePoint Security. In an increasingly crowded RaaS marketplace competing for talent and targets, this kind of differentiating behavior may ultimately benefit LockBit despite the additional costs and lower volume of targets.
Especially after
the breakup of Conti
, LockBit arguably took up the mantle as
the worlds premier ransomware gang
. Last month brought a notable decline in its activity, however. While the ransomware industry rose as a whole,
LockBit claimed 30% fewer victims
than the month prior.
Perhaps, in retrospect, it was dedicating extra time and resources to developing its new malware. Or, perhaps, the new malware is a response to its decline.
Either way, its new direction is a cause for concern for defenders. Security analysts already
raised the alarm on Android SoCs
in 2021,
Apple M1 in 2022
, and
multiple vulnerabilities in popular AMI SoCs
were revealed earlier this year.
Were seeing increased reporting lately related to embedded devices being used for persistence, reports Adam Pennington, project leader for MITRE, though major attacks have not yet been demonstrated in the wild.
LockBit will face hurdles in breaking through this glass ceiling, explains Callie Guenther, cyber threat research senior manager at Critical Start. Unlike traditional operating systems, embedded systems and IoT devices often have resource constraints, limited processing power, and specific hardware configurations. Ransomware designed for SoCs needs to be tailored to these limitations and adapted to the specialized environment, she points out.
Furthermore, she continues, SoCs often run specialized firmware or customized operating systems, which may require a different approach in terms of payload delivery, execution, and evasion techniques. Ransomware targeting SoCs may need to exploit specific vulnerabilities or weaknesses within the firmware or system architecture to gain control over the device and encrypt its data.
Baker speculates that the challenge may be part of the appeal for LockBit. The most likely reason to target SoCs that are not being targeted by other groups, such as Apple silicon, is for the sake of brand strength and prestige. Larger, more advanced groups such as LockBit have the in-house expertise and resources to throw at this problem set, and developing a unique capability not available elsewhere would continue to highlight the group as a pioneer in the ransomware-as-a-service (RaaS) ecosystem, he says.
The reason to worry about ransomware for embedded technologies, Pennington explains, isnt merely that its new and uncharted. Its also that these technologies are easier to overlook and sometimes harder to protect.
Most enterprises heavily focus their security efforts on Windows, despite various other server and embedded operating systems occupying the exact same networks. Among other reasons, targeting these alternate platforms can be a really effective way to evade existing defenses, Pennington assesses.
He poses a scenario where a ransomware or other actor infects a network, defenders clean up the type of systems where they have visibility and tools to see and manage systems, and then they discover months later that an implant has been left behind on something like a Linux-based security camera running on one of these other architectures.
To prevent attackers gaining this upper hand, Pennington says, organizations need to consider a diverse set of operating systems and architectures when they secure themselves, and not just their Windows systems.
Nearly everyone is running some number of systems with these types of OSs and chips, he emphasizes, even if they dont realize it.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
LockBit Developing Ransomware for Apple M1 Chips, Embedded Systems