Home / Threat Intelligence bulletins / LockBit gang discovered developing new ransomware variant targeting Apple products

Target Industry

Indiscriminate, opportunistic attacks.


The ransomware gang LockBit are believed to be developing new ransomware targeting Apple products, following the discovery of a compressed archive containing various unfinished ransomware samples.

The discovered ransomware was identified to be targeting Linux systems and architectures such as Microprocessor without Interlocked Pipelined Stages (MIPS), Advanced RISC Machines (ARM) and the M1 used in various Apple products such as Mac and iPad.

Although these ransomwares have not been actively exploited yet in the wild, the group is believed to have the required resources to develop effective ransomware and this recent development should be monitored.


If a threat actor was able to deploy ransomware onto a system, it would allow encryption of all data stored on the device followed by the demand for a monetary sum to decrypt the device. If a ransom is unpaid and no remediation is done, a threat actor will commonly wipe the device of all data leading to the loss of sensitive customer or organisational data.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.

Affected Products

Apple products.

Containment, Mitigations & Remediations

As mentioned previously, it is recommended that an EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.

All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.

Indicators of Compromise

Please refer to the Quorum Cyber Threat Intelligence malware report for LockBit3.0 for further details.

Threat Landscape

It has been a long-held conception that Apple products are impervious to sophisticated malware threats, but this has been proven wrong in recent years due to threat groups turning to target Apple products. As Apple products hold such a large market share, naturally they have become a target for more modern threats.

Threat Group

The LockBit ransomware gang is now the most prevalent ransomware gang in the world, with their malware accounting for nearly a third of all reported ransomware attacks globally. Their choice of targeting is diverse and does not focus on a single industry sector, making it challenging to predict their next victim. The current development of the LockBit gang pivoting to alternative architectures indicates that it is likely that they are considering bypassing the typical Windows targets to expand their attack surface and remain relevant within the cyber threat landscape.

Additionally, the LockBit gang functions via two main methods of operation. These include direct action taken by the gang against a chosen target using their own ransomware strain, and the sale of temporary licences to cybercriminals. This distribution of licences forms LockBit’s Ransomware-as-a-Service (RaaS) and is especially dangerous, as it enables threat actors to independently target organisations deemed to be of interest.

Mitre Methodologies


T1204.002 – Malicious File

Further Information

LockBit Green and phishing that targets organizations


An Intelligence Terminology Yardstick to showing the likelihood of events