Connect with us

Hi, what are you looking for?



LockBit Ransomware Group Developing Malware to Encrypt Files on macOS 

The LockBit ransomware gang is developing malware designed to encrypt files on macOS systems and researchers have analyzed if it poses a real threat.

The notorious LockBit ransomware group is apparently developing a piece of malware that can encrypt files on devices running Apple’s macOS operating system. Researchers have analyzed the malware to determine how much of a threat it actually poses.

MalwareHunterTeam reported on Sunday that they had come across what appeared to be the first macOS malware sample developed by a major ransomware group. 

Shortly after, Vx-Underground, which collects malware samples, found evidence that the malware has been around since at least November 2022. 

The malware appears to be real and, when the first sample was discovered, none of the antimalware engines on VirusTotal were detecting it. 

Apple security expert Patrick Wardle has conducted an analysis of the macOS version of LockBit and found that while it can run on Macs and it is capable of encrypting files, it currently doesn’t pose any real risk. 

First of all, the analyzed malware sample was signed, but not with a trusted certificate, which means macOS prevents it from running. Wardle also pointed out that even if such ransomware finds a way to run on a macOS device, file system protections implemented by Apple, such as TCC (Transparency, Consent, and Control), are likely to significantly limit its impact. 

LockBit ransomware macOS

The researcher also found that the malware has bugs that can cause it to suddenly terminate when running on macOS. 

During his analysis, Wardle found strings suggesting that at least some of the malware code was taken from a version designed to target Windows systems. There is also indication that much of it is Linux code that was recompiled for macOS. 

Advertisement. Scroll to continue reading.

“While this may be the first time a large ransomware group created ransomware capable of running on macOS, it’s worth noting that this sample is far from ready for prime time. From its lack of a valid code-signing signature to its ignorance of TCC and other macOS file-system protections as it stands it poses no threat to macOS users,” Wardle said. 

Emsisoft threat analyst Brett Callow pointed out that there is no evidence the malware has been deployed in the wild. “It is, however, an indication that LockBit is, or at least was, thinking about Macs,” Callow noted.

Related: Microsoft Flags Ransomware Problems on Apple’s macOS Platform

Related: User Documents Overwritten With Malicious Code in Recent Dridex Attacks on macOS

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The City of Oakland has disclosed a ransomware attack that impacted several non-emergency systems.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The personal and health information of more than 3.3 million individuals was stolen in a ransomware attack at Regal Medical Group.