Home / Threat Intelligence bulletins / LockBit ransomware targeting macOS devices

Target Industry

Indiscriminate, opportunistic targeting.


LockBit, a high-profile cybercrime group with links to the Russian state, has recently been reported to have created encryptors for macOS devices. This is likely to be the first major ransomware operation which is seen to be targeting macOS devices specifically.

The encryptor detected is seen as “locker_Apple_M1_64”, which targets newer Mac devices running on Apple Silicon. The encryptor is seen to be within development at this current stage. Analysis of the strings within the encryptor showed multiple references to VMware ESXi as well as a list of Windows files to exclude from encryption.


While at the current time the encryptor is viewed to not be fully functioning, it is actively being developed, therefore it is showing intent for future targeting.

Moreover, successful exploitation by LockBit ransomware will result in the encryption and exfiltration of significant quantities of data held on the compromised device or system, prior to a ransom of a predetermined amount being demanded. Encrypted data may include private customer data, corporate finance data and system credentials that, if released, could provide threat actors with further targeting opportunities.

Vulnerability Detection

An endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide detection and protection against ransomware threats.

Affected Products

Apple macOS devices operating on Apple Silicon.

Containment, Mitigations & Remediations

It is advised that users avoid opening unknown attachments and executables due to an initial ingress mechanism used by LockBit seen as phishing attacks, as well as using strong and unique passwords. Any system suspected to be compromised by LockBit ransomware should be isolated from the network to prevent further devices becoming compromised.

A primary method of reducing the threat of LockBit ransomware is to detect it in the early stages through the use of an effective and monitored EDR solution. An effective EDR tool such as the Microsoft Defender suite will block ransomware attempts once detected.

Organisations can also perform routine back-ups of sensitive data (with stored offline copies) that are required to operate business procedures. Therefore, if a breach occurs and the business can no longer function, a back-up is ready to resort to, and the business can continue to operate with minimal disruption.

Indicators of Compromise

LockBit associated domains:

– manfil[.]com[.]br
– cobcreditunion[.]com
– df[.]senac[.]br
– electronicsystem[.]it
– garrottbros[.]com
– grupcovesa[.]com
– piramal[.]com
– rimex[.]com
– skywayendo[.]com
– swiftatlanta[.]com
– tecnosysitalia[.]eu
– valleywomenshealth[.]com
– hacla[.]org
– capsonic[.]com
– cornwelltools[.]com
– farms[.]com
– imacorp[.]com
– info[.]openjdklab[.]xyz
– sappi[.]com
– sterlingcheck[.]com

LockBit Associated File Hashes (SHA-256):

– 060bd55768e0edc037651bf50c54248e9451d57d4da795b9d8ea03829085cea1
– 6490c1fec33f70d41c8112be2022d5f656c5d060b12db00a8f945938fda2cab5

LockBit Associated File Hashes (SHA-1):

– 729eb505c36c08860c4408db7be85d707bdcbf1b
– 091b490500b5f827cc8cde41c9a7f68174d11302
– e35a702db47cb11337f523933acd3bce2f60346d
– a512215a000d1b21f92dbef5d8d57a420197d262
– c05216f896b289b9b426e249eae8a091a3358182
– 10039d5e5ee5710a067c58e76cd8200451e54b55
– 82bd4273fa76f20d51ca514e1070a3369a89313b
– eed31d16d3673199b34b48fb74278df8ec15ae33
– 0815277e12d206c5bbb18fd1ade99bf225ede5db
– ff01473073c5460d1e544f5b17cd25dadf9da513

LockBit Associated File Hash (MD5):

– f9ab1c6ad6e788686509d5abedfd1001
– 5e54923e6dc9508ae25fb6148d5b2e55
– 13b12238e3a44bcdf89a7686e7179e16
– bf331800dbb46bb32a8ac89e4543cafa
– ad444dcdadfe5ba7901ec58be714cf57
– 1690f558aa93267b8bcd14c1d5b9ce34
– 56c9c8f181803ece490087ebe053ef72

LockBit Associated IP Addresses:

– 139[.]180[.]184[.]147
– 149[.]28[.]137[.]7
– 45[.]32[.]108[.]54

Threat Landscape

Ransomware continues to be one of the prominent threats facing all industry sectors. Recent attacks, as well as the developing nature of the ransomware threat landscape, suggest that the threat is growing as cybercriminal groups are becoming more comfortable demanding ever-increasing ransom quantities.

It should be noted that Windows has typically been the most targeted operating system for ransomware attacks. However, nothing prevents malware developers from creating ransomware that is tailored to target macOS systems. LockBit operators are notorious for continuously enhancing their toolset. It is therefore likely that more advanced encryptor variants will emerge for these CPU architectures in the future.

Threat Group

LockBit, one of the most prominent ransomware groups, is believed to have ties to Russia, with some level of state approval. They utilise a Ransomware-as-a-Service (RaaS) model, recruiting affiliates who would otherwise lack the capabilities to carry out attacks using their infrastructure in exchange for a share of the ransom. In 2022, LockBit was responsible for approximately 40% of ransomware related data leaks against financial institutions.

Mitre Methodologies

T1059 – Command and Scripting Interpreter
T1005 – Data from Local System
T1078 – Valid Accounts
T1140 – Deobfuscate/Decode Files or Information
T1189 – Drive-by Compromise
T1195 – Supply Chain Compromise
T1486 – Data Encrypted for Impact
T1566 – Phishing

Further Information

LockBit ransomware encryptors found targeting Mac devices
LockBit now targeting Apple
Quorum Cyber Malware Reports

Intelligence Terminology Yardstick