Skip to main content

LockBit expands its reach, now targeting macOS

22 June 2023

LockBit, one of the world’s most prolific ransomware groups, has recently upgraded its operations with enhanced multiplatform functionality, according to cybersecurity experts at Kaspersky. LockBit gained notoriety for its relentless targeting of businesses globally, leaving a trail of financial and operational devastation in its wake. This recent report by Kaspersky showcases LockBit's determination to expand its reach and maximize the impact of its malicious activities.

In its early stages, LockBit operated without leak portals, double extortion tactics, or data exfiltration before encrypting victim data. However, the group has continuously developed its infrastructure and security measures to protect its assets against various threats, including attacks on its administration panels and disruptive distributed denial-of-service (DDoS) attacks.

The cybersecurity community observed that LockBit's is adopting code from other infamous ransomware groups, such as BlackMatter and DarkSide. This strategic move not only streamlines operations for potential affiliates but also broadens the range of attack vectors employed by LockBit. Recent findings by Kaspersky's Threat Attribution Engine (KTAE) shed light on the fact that LockBit's incorporated approximately 25 percent of the code previously used by the now-defunct Conti ransomware gang , resulting in a new variant known as LockBit Green.

In a significant breakthrough, Kaspersky researchers uncovered a ZIP file containing LockBit samples specifically tailored to multiple architectures, including Apple M1, ARM v6, ARM v7, FreeBSD, and more. Thorough analysis and investigation using the KTAE, they confirmed that these samples originated from the LockBit Linux/ESXi version previously observed.

While some samples, like the macOS variant, require additional configuration and are not signed properly, it is evident that LockBit is actively testing its ransomware on various platforms, indicating an imminent expansion of the attacks. This development underscores the urgent need for robust cybersecurity measures across all platforms and heightened awareness within the business community.

“LockBit is a highly active and notorious ransomware group known for its devastating cyberattacks on businesses worldwide. With its continual infrastructure enhancements and incorporation of code from other ransomware gangs, LockBit poses a significant and evolving threat to organizations across various industries. It is imperative for businesses to reinforce their defenses, regularly update security systems, educate employees on cybersecurity best practices, and establish incident response protocols to effectively mitigate the risks posed by LockBit and similar ransomware groups,” comments Marc Rivero, senior security researcher at Kaspersky's Global Research and Analysis Team.

Learn more about LockBit's updated toolset on Securelist.

To protect yourself and your business from ransomware attacks, consider following the rules proposed by Kaspersky:

  • Always keep the software updated on all the devices you use to prevent attackers from exploiting vulnerabilities and infiltrating your network.
  • Focus your defense strategy on detecting lateral movements and data leaks to the internet. Pay special attention to outgoing traffic to detect cybercriminals' connections to your network. Set up offline backups that intruders cannot tamper with. Make sure you can access them quickly when needed or in an emergency.
  • Activate ransomware protection on all endpoints. There is a free Kaspersky Anti-Ransomware Tool for Business that shields computers and servers from ransomware and other types of malware, prevents exploits and is compatible with already installed security solutions.
  • Install anti-APT and EDR solutions, enabling capabilities for advanced threat detection and detection, investigation and timely remediation of incidents. Provide your SOC team with access to the latest threat intelligence and regularly upskill them with professional training. All of the above is available within Kaspersky Expert Security framework .
  • Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access to Kaspersky's TI, providing cyberattack data and insights collected by our team over the last 20 years. To help businesses deliver effective defenses in these turbulent times, Kaspersky has announced it is providing access to independent, continuously updated and globally sourced information on current cyberattacks and threats free of charge. Request access to this offer here .

LockBit expands its reach, now targeting macOS

LockBit, one of the world’s most prolific ransomware groups, has recently upgraded its operations with enhanced multiplatform functionality, according to cybersecurity experts at Kaspersky. LockBit gained notoriety for its relentless targeting of businesses globally, leaving a trail of financial and operational devastation in its wake. This recent report by Kaspersky showcases LockBit's determination to expand its reach and maximize the impact of its malicious activities.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases