[ad_1]
“It would be naive to assume that LockBit is not continuing to iterate on this.”
Due to these reasons there have been only a small number of previous ransomware variants created for macOS – such as EvilQuest, MacRansom, FileCoder and KeRanger – and none have been particularly successful.
“While some security vendors have incorrectly made much of it in the past, the reality is that there is no publicly recorded case of any business ever paying a ransom demand as a result of macOS ransomware,” said Stokes. “This is not surprising when you look at the history of attempts to build ransomware on macOS to date.”
Apple’s built-in security mechanisms provide another roadblock for threat actors. While these protections are not foolproof, they succeed in weeding out less complex ransomware variants. Apple’s notarization process, for instance, requires developers to sign their apps and gain Apple’s approval before submitting them to the iOS or macOS app stores. The TCC (Transparency, Consent and Control) feature protects user files across various processes from applications, so if a threat actor does somehow start accessing files the operating system blocks it and alerts the user. Finally, Apple’s core operating system files are on a ReadOnly system volume, meaning that even if ransomware comes in with a remote exploit or is able to bypass notarization, it can’t easily modify files on the operating system.
“Attackers need to take these into account in order to create a successful efficient ransomware targeting macOS,” said Wardle. “It’s not impossible if you look at history as a guide, but it’s good that macOS at least has built in protections that work out of the gate and that can maybe thwart less complex ransomware.”
These protections appear to work against the LockBit ransomware variant. The malware cannot bypass TCC and its codesign utility showed an invalid signature as opposed to a valid Apple Developer ID, for instance, meaning that macOS won’t let it run. Beyond that, the variant appears to be under active development: Its binary looks like Linux code that’s been compiled for macOS, and it contains various bugs, including buffer overflow flaws that cause it to crash on macOS.
[ad_2]
Source link