SecureMac, Inc.

Is there ransomware on macOS?

April 26, 2023

Is there ransomware on macOS? Are Apple Mac users at risk? We’ll take a closer look at the issue in this article.

Is there ransomware on macOS?

If you follow Mac security news, you know there’s been a lot of discussion about macOS ransomware of late.

Here’s the TL;DR: There is ransomware and active ransomware development for macOS—and although it’s not a clear and present danger, there’s good reason to think it will become a more serious threat in the future.

In this article, we’ll look at the issue of Mac ransomware, including its history, recent developments, and what lies ahead.

What is ransomware?

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) offers an excellent concise definition of ransomware:

Ransomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.

In addition to traditional file-encryption ransomware, threat actors use malware to infiltrate targets, steal sensitive data, and threaten to leak the data if a ransom is not paid. This is sometimes called “extortionware” but is essentially just ransomware that uses different tactics.

The impact of ransomware is significant. An IBM study puts the average cost of a ransomware attack—excluding the ransom itself—at $4.54 million. Analysts predict that global damages from ransomware could run as high as $30 billion. Tragically, ransomware attacks on hospitals have even been implicated in patient deaths.

But despite the gravity of the problem, ransomware has primarily been confined to Windows systems. Mac users have not had much reason to worry about ransomware threats (due in part to the strong security layering built into macOS via mechanisms like Gatekeeper and XProtect). However, there have been signs of ransomware on macOS in the past—and there are indications that widespread danger from Mac ransomware may be closer than we’d like to think.

Past examples of ransomware on macOS

Ransomware on macOS is not new. There have been several high-profile Mac ransomware variants in the past, including:

KeRanger: The first known example of macOS ransomware, KeRanger was discovered in 2016 and spread through Trojanized app installers.

Patcher: File encryption ransomware for macOS that was spotted in 2017.

ThiefQuest: A more recent (2020) malware variant, ThiefQuest appeared to have ransomware-like characteristics, although this later turned out to be a false alarm. 

But in addition to the notoriety they achieved, these macOS ransomware variants had one other thing in common: They were relatively low-level threats due to implementation or poor design. 

KeRanger, for example, was spread through compromised installers for the Transmission app. But both Apple and Transmission’s developers responded quickly, mitigating the impact of the ransomware.

Patcher was so poorly programmed that it had no way to communicate with its authors—meaning that they had no way to know whether or not a ransom had been paid. 

ThiefQuest used such a low standard of encryption that some speculated that its ransomware component was only included as a distraction from its spyware and data exfiltration functionality. This analysis turned out to be correct: Upon closer inspection, ThiefQuest was found to have no mechanism by which victim and attacker could contact one another for ransom payment and decryption key exchange. The “ransomware” component was a decoy. 

However, a new macOS ransomware threat has emerged in recent weeks: LockBit. LockBit is a well-known malware family produced by a criminal group of the same name. What’s new is that now, apparently, the LockBit ransomware gang is actively developing ransomware for macOS. And this Mac ransomware may represent a more serious threat than its forerunners. 

Is LockBit Apple Mac ransomware serious?

The assessment of the threat that LockBit ransomware poses to macOS has varied—from alarmist (“your Mac is no longer safe,” “dangerous ransomware”) to taunting (“half-baked Mac ransomware,” “Please, no need to fix these problems”).

A more measured response came from Mac malware researcher Patrick Wardle, who provided a detailed analysis of LockBit Mac ransomware on his technical blog. The bottom line is that in its current form, the macOS version of LockBit ransomware is very much a work in progress—but it’s worrying that a notorious cybercriminal organization is actively targeting macOS. To quote Wardle:

This sample is far from ready for prime time. From its lack of a valid code-signing signature to its ignorance of TCC and other macOS file-system protections, as it stands it poses no threat to macOS users. Moreover, the variant is rather buggy…containing flaws such as buffer overflows that will cause it to prematurely exit, when run on macOS.

Still…the fact that a large ransomware gang (LockBit) has apparently set its sights on macOS should give us all pause for concern. And, if nothing else, make sure we’re adequately prepared for future attacks that likely will be more polished and thus pose a greater risk…

The future of ransomware on macOS

Macs have been around for nearly four decades, and the first macOS ransomware variant was discovered seven years ago. So why are cybercriminals suddenly starting to take Mac ransomware development seriously?

The answer has to do with the growth of macOS—especially in the enterprise. In the past, there was little financial upside to attacking an operating system that few people used, and that was all but unknown in big businesses. To put it simply: Windows was where the money was at. But that was then, and this is now. And in 2023, Macs are booming. In the US alone, Macs account for nearly 1 in 4 computers in the enterprise. For the bad guys, macOS now represents an abundant source of high-value targets. Along with trends in the Apple Mac world, this greatly increases the likelihood that we will see true Mac ransomware someday soon.

As SecureMac’s Principal Malware Research Engineer Israel Torres puts it: 

macOS is an untapped resource for attackers. It is evolving from its former Intel-controlled platform to its newer Apple-controlled silicon. Apple is also rapidly changing how the macOS and iOS worlds coalesce; macOS and iOS are becoming closer than ever in terms of how they apply their security concepts. And attackers know they have a limited time to get into the game before it’s too late—especially with Apple’s planned obsolescence. It’s a race to the finish. Brace yourselves, macOS ransomware is coming.

For a deeper dive into the past and future of macOS ransomware, see Torres’s excellent piece in eForensics Magazine: Apple macOS Ransomware Where Art Thou?

Get the latest security news and deals