There aren’t many certainties in cybercrime, but one that is often repeated is that malware is overwhelmingly a problem affecting computers running Microsoft Windows.
This can sound like a statement of the obvious, but malware targets Windows because there are a lot more Windows computers to target—up to 80% of all desktops and laptops globally, depending on which estimate you take as accurate.
The same holds true for ransomware malware, while noting that ransomware attacks these days are more likely to remotely target account credentials to avoid having to compromise endpoints in the initial attack phase.
Even so, when exceptions to the Windows malware rule are discovered, they tend to attract a lot of attention, and even panic. An example is new evidence that the notorious LockBit ransomware group has recently developed a version of its malware designed to run on Apple’s macOS.
It was publicized by MalwareHunter Team, who reportedly chanced upon a zipped archive on VirusTotal containing a macOS encryptor.
Although not a frequent occurrence, this is not the first time ransomware has targeted Macs. More eye-catching is that the group behind the latest discovery is LockBit, one of the most aggressive ransomware crime groups of recent times.
Connected to the older Conti ransomware, its handiwork includes the recent crippling attack on the foreign mail delivery service of Britain’s Royal Mail, which was put out of action for several weeks.
According to security company Trend Micro, LockBit was the most active ransomware group of 2022, accounting for more than a third of all attacks it detected.
In that context, it’s not surprising that LockBit might want to expand its population of potential victims by targeting Macs, which are after all the second biggest personal computer platform after Windows.
Curiously, however, the encryptors discovered by MalwareHunter Team included a wide range of other operating systems, including FreeBSD, and the ARM, MIPS, and SPARC microprocessor architectures. That’s in addition to targeting Linux more generally and VMware ESXi.
Some of these platforms have tiny populations in specialized contexts and hardly seem worth targeting at all. But that’s not how ransomware works—every target is potentially a way into an organization. Indeed, smaller is often better because defenders might leave it unprotected.
An Overstated Threat?
Right now, the evidence strongly suggests that the LockBit macOS ransomware is in development and doesn’t pose an immediate risk, at least as far as anyone knows. Ransomware messages are highly unlikely to be appearing on the screens of macOS users any time soon.
And yet history tells us not to disregard intention when we see it. Clearly, one of the biggest ransomware developers has mused about the possibility of targeting non-Windows platforms at some point.
One view is that this might now be inevitable. As Windows computers become better defended, it makes sense to widen the net to any endpoint that can be reached.
Alternatively, the threat of macOS ransomware is overstated because there are simply better ways to target networks that don’t involve running malware on every type of client.
If correct, the much more plausible worry for Mac users is that their data is being breached as part of third-party attacks that don’t always get as much publicity as macOS ransomware scares.