{
	"id": "9bf0a238-fcc6-4c0a-bdb8-8796c93b5efa",
	"created_at": "2026-04-06T00:09:44.913548Z",
	"updated_at": "2026-04-10T03:32:26.688086Z",
	"deleted_at": null,
	"sha1_hash": "4c0ae63a64e187dcceec69bb1a103c5677abaa79",
	"title": "LockBit ransomware encryptors found targeting Mac devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1500777,
	"plain_text": "LockBit ransomware encryptors found targeting Mac devices\r\nBy Lawrence Abrams\r\nPublished: 2023-04-16 · Archived: 2026-04-05 15:32:41 UTC\r\nThe LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major\r\nransomware operation to ever specifically target macOS.\r\nThe new ransomware encryptors were discovered by cybersecurity researcher MalwareHunterTeam who found a ZIP\r\narchive on VirusTotal that contained what appears to be most of the available LockBit encryptors.\r\nHistorically, the LockBit operation uses encryptors designed for attacks on Windows, Linux, and VMware ESXi servers.\r\nHowever, as shown below, this archive [VirusTotal] also contained previously unknown encryptors for macOS, ARM,\r\nFreeBSD, MIPS, and SPARC CPUs.\r\nArchive of available LockBit encryptors\r\nSource: BleepingComputer\r\nThese encryptors also include one named 'locker_Apple_M1_64' [VirusTotal] that targets the newer Macs running on Apple\r\nSilicon. The archive also contains lockers for PowerPC CPUs, which older Macs use.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nFurther research by cybersecurity researcher Florian Roth found an Apple M1 encryptor uploaded to VirusTotal in\r\nDecember 2022, indicating that these samples have been floating around for some time.\r\nLikely test builds\r\nBleepingComputer analyzed the strings in the LockBit encryptor for Apple M1 and found strings that are out of place in a\r\nmacOS encryptor, indicating that these were likely haphazardly thrown together in a test.\r\nFor example, there are numerous references to VMware ESXi, which is out of place in an Apple M1 encryptor, as VMare\r\nannounced they would not be supporting the CPU architecture.\r\n_check_esxi\r\nesxi_\r\n_Esxi\r\n_kill_esxi_1\r\n_kill_esxi_2\r\n_kill_esxi_3\r\n_kill_processes\r\n_kill_processes_Esxi\r\n_killed_force_vm_id\r\n_listvms\r\n_esxcfg_scsidevs1\r\n_esxcfg_scsidevs2\r\n_esxcfg_scsidevs3\r\n_esxi_disable\r\n_esxi_enable\r\nFurthermore, the encryptor contains a list of sixty-five file extensions and filenames that will be excluded from encryption,\r\nall of them being Windows file extensions and folders.\r\nA small snippet of the Windows files the Apple M1 encryptor will not encrypt is listed below, all out of place on a macOS\r\ndevice.\r\n.exe\r\n.bat\r\n.dll\r\nmsstyles\r\ngadget\r\nwinmd\r\nntldr\r\nntuser.dat.log\r\nbootsect.bak\r\nautorun.inf\r\nthumbs.db\r\niconcache.db\r\nAlmost all of the ESXi and Windows strings are also present in the MIPs and FreeBSD encryptors, indicating that they use a\r\nshared codebase.\r\nThe good news is that these encryptors are likely not ready for deployment in actual attacks against macOS devices.\r\nCisco Talos researcher Azim Khodjibaev told BleepingComputer that based on their research, the encryptors were meant as\r\na test and were never intended for deployment in live cyberattacks.\r\nmacOS cybersecurity expert Patrick Wardle further confirmed BleepingComputer's and Cisco's theory that these are in-development/test builds, stating that the encryptor is far from complete as it is missing the required functionality to encrypt\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/\r\nPage 3 of 5\n\nMacs properly.\r\nInstead, Wardle told BleepingComputer that he believes the macOS encryptor is based on the Linux version and compiled\r\nfor macOS with some basic configuration settings.\r\nFurthermore, Wardle told us that when the macOS encryptor is launched, it crashes due to a buffer overflow bug in its code.\r\n\"It seems that macOS is now on their radar ... but other than compiling it for macOS, and adding a basic config (which are\r\njust basic flags ...not specific to macOS per se) this is far from ready for deployment,\" Wardle told BleepingComputer.\r\nWardle further shared that the LockBit developer must first \"figure out how to bypass TCC, get notarized\" before becoming\r\na functional encryptor.\r\nA detailed technical analysis conducted by Wardle on the new Mac encryptor can be found on Objective See.\r\nWhile Windows has been the most targeted operating system in ransomware attacks, nothing prevents developers from\r\ncreating ransomware that targets Macs.\r\nHowever, as the LockBit operation is known for pushing the envelope in ransomware development, it would not be\r\nsurprising to see more advanced and optimized encryptors for these CPU architectures released in the future.\r\nTherefore, all computer users, including Mac owners, should practice good online safety habits, including keeping the\r\noperating system updated, avoiding opening unknown attachments and executables, generate offline backups, and using\r\nstrong and unique passwords at every site you visit.\r\nUpdate 4/16/23: In response to questions from BleepingComputer, the public-facing representative of LockBit, known as\r\nLockBitSupp, said that the Mac encryptor is \"actively being developed.\"\r\nWhile LockBit has a history of toying with security researchers and the media, if true, we will likely see more production-quality versions in the future.\r\nFurthermore, while it's not clear how useful a macOS encryptor would be in the enterprise, some LockBit affiliates target\r\nconsumers and small businesses, where an encryptor like this could be more useful.\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/\r\nhttps://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/lockbit-ransomware-encryptors-found-targeting-mac-devices/"
	],
	"report_names": [
		"lockbit-ransomware-encryptors-found-targeting-mac-devices"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "cfdd35af-bd12-4c03-8737-08fca638346d",
			"created_at": "2022-10-25T16:07:24.165595Z",
			"updated_at": "2026-04-10T02:00:04.887031Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Cosmic Wolf",
				"Marbled Dust",
				"Silicon",
				"Teal Kurma",
				"UNC1326"
			],
			"source_name": "ETDA:Sea Turtle",
			"tools": [
				"Drupalgeddon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "33ae2a40-02cd-4dba-8461-d0a50e75578b",
			"created_at": "2023-01-06T13:46:38.947314Z",
			"updated_at": "2026-04-10T02:00:03.155091Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"UNC1326",
				"COSMIC WOLF",
				"Marbled Dust",
				"SILICON",
				"Teal Kurma"
			],
			"source_name": "MISPGALAXY:Sea Turtle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "62b1b01f-168d-42db-afa1-29d794abc25f",
			"created_at": "2025-04-23T02:00:55.22426Z",
			"updated_at": "2026-04-10T02:00:05.358041Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Sea Turtle",
				"Teal Kurma",
				"Marbled Dust",
				"Cosmic Wolf",
				"SILICON"
			],
			"source_name": "MITRE:Sea Turtle",
			"tools": [
				"SnappyTCP"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434184,
	"ts_updated_at": 1775791946,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c0ae63a64e187dcceec69bb1a103c5677abaa79.pdf",
		"text": "https://archive.orkl.eu/4c0ae63a64e187dcceec69bb1a103c5677abaa79.txt",
		"img": "https://archive.orkl.eu/4c0ae63a64e187dcceec69bb1a103c5677abaa79.jpg"
	}
}