September 26, 2023

LockBit, has modified its variant that the ransomware strain was seen targeting Mac devices — the first of its kind for a major ransomware operation.

Researchers revealed a potential LockBit ransomware sample targeting MacOS. The ransomware binary was initially undetected by traditional anti-virus tools but has since begun catching the malicious files.

The codesign utility shows that though it’s signed, it’s signed ‘ad-hoc’ This means if downloaded to a macOS system, i.e., deployed by the attackers, macOS won’t let it run. This is confirmed by the spctl utility which shows invalid signature.


The sample also suggests that it was initially designed to run on Windows So while it’s notable that a LockBit sample has been found targeting MacOS, it’s unlikely the current variant will impact the average user, Wardle stressed. What’s important is to maintain ongoing conversations about detection and prevention of these kinds of threats.

In another campaign, the ransomware appears to rely on the source code of Conti, another highly effective variant. LockBit embedded functions previously used by past interactions of LockBit and Conti family binaries. It was this apparent connection that prompted further analysis and confirmed Conti connections, as well as TrickBot and Bazaloader which was previously employed by the Conti group, which reaffirms the connection.

While examining LockBit’s payment portal and the group’s ransom note, which found evidence of multiple fresh LockBit variants. The ransom note structure bore similarities to previous variants, while the newly detected strains rely on a string of random characters instead of the .lockbit extension.

Known as LockBit Black, the variant was “more modular and evasive” than previous versions. LockBit Black shares similarities with Black Matter and Black Cat ransomware.

Leave a Reply

%d bloggers like this: