What Is locker_Apple_M1_64 (LockBit Mac File Virus)?
Security researchers detected a macOS variant of the infamous LockBit ransomware. On April 15th, MalwareHunterTeam tweeted about a new LockBit ransomware variant that is targeting macOS users.
LockBit, a successful cybercrime operation with ties to Russia, has been active since late 2019. The group has released two major updates to the ransomware consequently in 2021 and 2022, one of which is the macOS variant. This variant remained undetected for some time, but fortunately, now most of VirusTotal’s security engines are able to “catch” its malicious file.
LockBit Mac Virus – Details
| Name | locker_Apple_M1_64 |
| File Extension | .lockbit |
| Type | Ransomware, Cryptovirus |
| Symptoms | locker_Apple_M1_64 aims to encrypt files and rename them with the .lockbit extension. |
| Distribution Method | Spam Emails, Email Attachments |
| Detection Tool |
See If Your Mac Has Been Affected by locker_Apple_M1_64
Download
Malware Removal Tool
|
locker_Apple_M1_64 Mac File Virus Technical Overview
An examination of the new macOS version (“locker_Apple_M1_64”) shows that it is still unfinished, with an invalid signature being used to validate the executable. Consequently, Apple’s Gatekeeper security feature will prevent the ransomware from being launched even if it is downloaded to a device. Security researcher Patrick Wardle noticed that the payload includes files such as autorun.inf and ntuser.dat.log, indicating that the ransomware was designed to target Windows.
Wardle noted the presence of System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC) in Apple’s security measures, which protect users’ files and data from unauthorized code execution without an exploit or user-approval. Despite the artifacts’ faults, Wardle suggested that an extra layer of detection and protection may be necessary, due to the growing interest in macOS systems from malicious actors.
locker_Apple_M1_64 Ransom Note
~~~ LockBit 3.0 the world’s fastest and most stable ransomware from 2019~~~
>>>>> Your data is stolen and encrypted.
If you don’t pay the ransom, the data will be published on our TOR darknet sites. Keep in mind that once your data appears on our leak site, it could be bought by your competitors at any second, so don’t hesitate for a long time. The sooner you pay the ransom, the sooner your company will be safe.Tor Browser Links:
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion
Links for normal browser:
http://lockbitapt2d73krlbewgv27tquljgxr33xbwwsp6rkyieto7u4ncead.onion.ly
http://lockbitapt2yfbt7lchxejug47kmqvqqxvvjpqkmevv4l3azl3gy6pyd.onion.ly
http://lockbitapt34kvrip6xojylohhxrwsvpzdffgs5z4pbbsywnzsbdguqd.onion.ly
http://lockbitapt5x4zkjbcqmz6frdhecqqgadevyiwqxukksspnlidyvd7qd.onion.ly
http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion.ly
http://lockbitapt72iw55njgnqpymggskg5yp75ry7rirtdg4m7i42artsbqd.onion.ly
http://lockbitaptawjl6udhpd323uehekiyatj6ftcxmkwe5sezs4fqgpjpid.onion.ly
http://lockbitaptbdiajqtplcrigzgdjprwugkkut63nbvy2d5r4w2agyekqd.onion.ly
http://lockbitaptc2iq4atewz2ise62q63wfktyrl4qtwuk5qax262kgtzjqd.onion.ly
…
>>>> Very important! For those who have cyber insurance against ransomware attacks.
Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations. The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount. For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. He will do anything to derail negotiations and refuse to pay us out completely and leave you alone with your problem. If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we
>>>>> If you do not pay the ransom, we will attack your company again in the future.
Remove locker_Apple_M1_64 (LockBit Mac Ransomware)
Step 1: Start or reset your Mac device and then hold the SHIFT key. The Apple logo shall appear on your display.
Step 2: You will see a login Window. When you see it, release the SHIFT key and you are done. You might be asked to enter your username and password for verification.
In addition to these steps, you could also apply the following fixes to your Mac:
1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service”. If so, the process is the ransomware virus’s main process. We suggest terminating it with “Quit -> Force Quit”.
3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
For maximum effectiveness, we recommend scanning your Mac with a professional anti-malware program, besides doing the fixes below.
When it comes to your files, we suggest backing them up. You could also try using Data Recovery software or other types of damage control programs.
Unlike Windows operating system, removing ransomware from Mac may be a more complicated process. Some viruses, like the Padlock ransomware for Mac aim to lock your entire screen, preventing you from even accessing your Mac. For those cases, it is required to do the fixes we have provided in the instructions below in Safe Mode on Mac. To boot your Mac In Safe Mode, folow these steps:
Step 1: Start or reset your Mac device and then hold the SHIFT key. The Apple logo shall appear on your display.
Step 2: You will see a login Window. When you see it, release the SHIFT key and you are done. You might be asked to enter your username and password for verification.
In addition to those steps, you could also additionally apply the following fixes to your Mac:
1. Using either Terminal or Finder, check whether /Applications/Transmission.app/Contents/Resources/ General.rtf or /Volumes/Transmission/Transmission.app/Contents/Resources/ General.rtf exist. If any of these exist, the Transmission application is infected and we suggest deleting this version of Transmission.
2. Using “Activity Monitor” preinstalled in OS X, check whether any process named “kernel_service” is running. If so, double check the process, choose the “Open Files and Ports” and check whether there is a file name like “/Users//Library/kernel_service”. If so, the process is the ransomware virus’s main process. We suggest terminating it with “Quit -> Force Quit”.
3. After these steps, we also recommend users check whether the files “.kernel_pid”, “.kernel_time”, “.kernel_complete” or “kernel_service” existing in ~/Library directory. If so, you should delete them.
For maximum effectiveness, we recommend scanning your Mac with a professional anti-malware program, besides doing the fixes below. Such specific program will effectively make sure to detect and remove any viruses from your Mac and locate and eliminate all of the malicious components safely.
And when it comes to your files, we suggest to back them up and look for an update of your virus from researchers in the future. In the meantime you could try using Data Recovery or other types of damage control programs.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: