Researchers Discover First-Ever Major Ransomware Targeting macOS

In targeting Apple users, LockBit is going where no major ransomware gang has gone before. But its a warning shot, and Mac users need not worry yet.

The infamous LockBit ransomware gang has developed
a version of their malware for macOS devices
— the first ever foray into Apples territory by a major ransomware group.
LockBit is
one of the worlds most prolific
ransomware-as-a-service (RaaS) operations, known for its ivolvement in
high-profile attacks
,
sophisticated malicious offerings
, and
some grade-A PR
.
The first evidence that the gang has been experimenting with macOS was published by the MalwareHunterTeam ransomware repository on April 15. As much as I can tell,
a tweet read
, this is the first Apples Mac devices-targeting build of LockBit ransomware sample seen ... Also is this a first for the big name gangs?
Shortly thereafter, vx-underground — a malware research site — added a wrinkle to the story. It appears we are late to the game,
it tweeted
. The macOS variant has been available since November 11th, 2022.
Ransomware for Mac may raise alarm bells, though a closer examination of the binary reveals that its not quite ready for prime time.
For now, the impact to the average Mac user in the enterprise is essentially zero, Patrick Wardle, founder of the Objective-See Foundation, tells Dark Reading. He pulled a sample apart in
an analysis published April 16
.
However, he adds, I think this should be looked at as a harbinger of things to come. You have a very well funded and motivated, large ransomware group thats saying: Hey, were setting our sights on on macOS.
Will Mac users be ready when ransomware finally comes for them?
Saturdays discovery may be best characterized as Windows malware with macOS lipstick.
In unpacking the code, Wardle discovered multiple strings related to Windows artifacts — like autorun.inf, ntuser.dat.log, and so on. The lone component indicating its OS intentions was a variable called apple_config.
This is the only instance (I found) of any macOS specific references/customizations, Wardle noted in the analysis, appending that (The rest of the malwares binary simply looks like Linux code, compiled for macOS).
There were other signs, too, that the developers hadnt yet completed their project. For example, the code was signed ad-hoc — a stand-in for, say, a stolen Apple Developer ID. This could be a placeholder for future RaaS customers, but for now, Wardle explains, this means if downloaded to a macOS system (i.e. deployed by the attackers) macOS wont let it run.
Suffice it to say: LockBit hasnt breached the Apple dam just yet. But that doesnt mean Mac users can relax.
Never before has one of the big name ransomware outfits —
Conti
,
Clop
,
Hive
, et al — developed ransomware for Mac computers. There may be one reason, above all, for why that is.
Look at, traditionally, who the targets are for large ransomware attacks. Its the enterprises: hospitals, packaging facilities, these more traditional companies, Wardle points out. They are generally Windows-based.
Slowly, though, Apple devices have been spreading in enterprise environments. A
2021 survey data from JAMF
indicated that Apples tablets are the go-to choice for businesses, iPhones represent about half of all smartphones in business settings, and the average penetration of macOS devices in the enterprise was around 23%, as compared with 17% two years prior.
The pandemic and the work from home really spurred that, Wardle postulates. A lot of people have Mac computers. And as the younger generation enters the workforce — they are more comfortable with the Apple ecosystem.
Following from that, he adds, hackers who are very opportunistic are realizing that a lot of their potential victims are now transitioning, and thus they need to evolve their malicious creations.
So the question may not be whether ransomware groups will jump into macOS, but how soon. This, Wardle thinks, is really the million-dollar question.
Luckily for Mac users, Apple has anticipated this ransomware D-Day, and has proactively gotten ahead of it. Wardle points to two primary defenses already built into the operating system.
Firstly, he says, system files are under read-only conditions. So even if ransomware gets root access on a computer, its still not going to be able to modify those critical files and lock or render the system inoperable.
Second is TCC — short for Transparency, Consent, and Control.
The idea is that certain directories — for example, the users document directory, desktop, downloads, their browser folders, and cookies — are actually protected by the operating system, Wardle explains. If ransomware finds its way onto the system, its going to run into TCC and its not going to be able to access the files it wants to encrypt, without either another exploit or getting the user to explicitly approve the access.
Theres a caveat to that happy news though. Apple has done a great job implementing security mechanisms, but, Wardle warns, these features havent been really tried and tested yet. Maybe hackers will start poking and find some flaws. TCC, for example, has been riddled with bypasses basically since day one.
It would be naive to think that the attackers arent going to improve their techniques and create more effective ransomware, he concludes. So, I think its really great to be talking about this now.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Discover First-Ever Major Ransomware Targeting macOS