Power Mac ransomware? Yes, but it's complicated

Wired ran an article today (via Ars Technica) about apparent macOS-compatible builds of LockBit, a prominent encrypting ransomware suite, such as this one for Apple silicon. There have been other experimental ransomware samples that have previously surfaced but this may be the first known example of a prominent operation specifically targeting Macs, and it is almost certainly not the last.

What caught my eye in the article was a report of PowerPC builds. I can't seem to get an alleged sample to analyse (feel free to contact me at ckaiser at floodgap dawt com if you can provide one) but the source for that assertion appears to be this tweet.

Can that file run on a Power Mac? It appears it's indeed a PowerPC binary, but the executable format is ELF and not Mach-O, so the file can only run natively on Linux or another ELF-based operating system, not PowerPC Mac OS X (or, for that matter, Mac OS 9 and earlier). Even if the raw machine code were sprayed into memory for an exploitable Mac application to be tricked into running, ELF implies System V ABI, which is similar but different from the PowerOpen ABI used for PowerPC-compatible versions of Mac OS, and we haven't even started talking about system calls. Rather than a specific build targetting Power Macs, most likely this is evidence that the LockBit builders simply ran every crosscompiler variation they could find on their source code: there are no natively little-endian 32-bit PowerPC CPUs, for example, yet there's a ppcle build visible in the screenshot. Heck, there's even an s390x build. Parents, don't let your mainframes out unsupervised.

This is probably a good time to mention that I've been working on security patches for TenFourFox and a couple minor feature adjustments, so stay tuned. It's been awhile but such are hobbies.