The Rise of LockBit: Ransomware Evolution Targets Apple M1 Chips and Embedded Systems

LockBit Gang Expanding to New Architectures, Posing Risks for Victims

The LockBit gang, known for its ransomware attacks, is now building malware for new architectures, making it a potential threat for victims utilizing systems beyond Windows. In a recent blog, researchers from Kaspersky came across a .ZIP file containing LockBit malware samples. These samples revealed that LockBit has been targeting FreeBSD and Linux, as well as embedded technologies, including instruction set architecture (ISA) firmware for CPUs like ARM, MIPS, ESA/390, and PowerPC, and even Apple M1, an ARM-based system-on-chip (SoC) used in Mac and iPad devices. While the samples were still a work in progress, the development of these new ransomware variants could help LockBit in staying relevant and attracting talent in a competitive Ransomware-as-a-Service (RaaS) marketplace.

Concerns over Embedded Ransomware

LockBit‘s shift to targeting embedded systems and IoT devices is a cause for concern for defenders. Security analysts have previously raised alarms about the vulnerabilities associated with Android SoCs in 2021, Apple M1 in 2022, and vulnerabilities in popular AMI SoCs that were exposed earlier this year. While major attacks on embedded devices have not yet been demonstrated in the wild, increased reporting suggests a growing trend of using these devices for persistence.

Embeded systems and IoT devices present unique challenges for ransomware attackers, such as resource constraints, limited processing power, and specific hardware configurations. Callie Guenther, a cyber threat research senior manager at Critical Start, explains that ransomware designed for SoCs needs to be adapted to these limitations and specialized environments. Additionally, SoCs often run specialized firmware or customized operating systems, which may require different approaches for payload delivery, execution, and evasion techniques. Exploiting specific vulnerabilities or weaknesses within the firmware or system architecture is necessary to gain control over the device and encrypt its data.

Jason Baker, threat intelligence analyst at GuidePoint Security, speculates that targeting SoCs, especially those not currently targeted by other groups, may enhance LockBit‘s brand strength and prestige. By demonstrating the group’s in-house expertise and resources, LockBit can position itself as a pioneer in the ransomware ecosystem.

Challenges in Combating Embedded Malware

The emergence of ransomware targeting embedded technologies poses unique challenges for defenders. Adam Pennington, project leader for MITRE, highlights that most enterprises focus their security efforts primarily on Windows systems, ignoring the presence of other server and embedded operating systems within their networks. This creates opportunities for attackers to evade existing defenses by targeting alternate platforms. For example, an attacker could infect a network, clean up the systems they have visibility and tools to manage, but leave behind an implant on an unnoticed system running on a different architecture.

To prevent attackers from taking advantage of overlooked systems, organizations need to broaden their security measures to include a diverse set of operating systems and architectures. It is crucial to secure not only Windows systems but also other platforms often used but frequently forgotten. Pennington emphasizes that most organizations are running systems with these types of operating systems and chips, even if they are unaware of it.

Editorial: Strengthening Security in the Face of Evolving Threats

The evolving landscape of ransomware attacks demands a proactive approach from organizations and individuals to strengthen security measures. With LockBit‘s expansion into new architectures, it is essential to recognize that the threats posed by ransomware extend beyond traditional operating systems.

Organizations must acknowledge the vulnerabilities in embedded systems and IoT devices. Implementing cybersecurity measures tailored to these specialized environments, including resource constraints and specific hardware configurations, is crucial. This includes regularly patching and updating firmware, running security audits, and monitoring for any signs of compromise.

Furthermore, it is vital to adopt a holistic approach to security that encompasses different operating systems and architectures, rather than solely focusing on Windows systems. By diversifying security measures, organizations can mitigate the risk of attacks targeting overlooked platforms and strengthen their overall defense posture.

Individuals should also ensure they are running the latest software versions, enabling automatic updates for all devices, and exercising caution when opening suspicious emails or downloading files from untrusted sources. Additionally, backing up important data to offline or cloud storage regularly is a crucial step in mitigating the impact of a potential ransomware attack.

Given the ever-evolving nature of cyber threats, collaboration between cybersecurity researchers, law enforcement agencies, and technology companies becomes indispensable. Sharing information, vulnerabilities, and best practices helps in staying a step ahead of cybercriminals and protecting critical systems.

With embedded ransomware on the rise, investing in cybersecurity measures and adopting a proactive mindset is no longer optional but necessary for the protection of individuals, organizations, and critical infrastructure.