Novel NotLockBit Ransomware Targets MacOS Systems

NotLockBit is a newly identified ransomware strain, primarily targeting macOS systems, that mimics the well-known LockBit malware.

‍

Designed in Go, it affects both macOS and Windows platforms, using tactics like double extortion, encryption of victim files, and deletion of shadow copies to thwart data recovery efforts.  

‍

NotLockBit is distinctive because it masquerades as LockBit, including using a LockBit 2.0 desktop banner and ransom note to mislead victims and security researchers.  

‍

Distributed as an x86_64 binary, NotLockBit runs on Intel Macs and Apple silicon devices through Rosetta emulation. It uses RSA asymmetric encryption, generating a master key that’s protected by an attacker-held private key, making decryption without the attacker impossible.

‍

The malware also exfiltrates data to an Amazon S3 bucket with hardcoded AWS credentials, which were later suspended following a report to Amazon, Security Week reports.

‍

Researchers believe this is the first “fully functional” ransomware targeting macOS and note that development is ongoing, with the potential for further releases soon.

‍

In April of 2023, researchers reported the discovery of the first iteration of macOS ransomware assessed to have emerged as early as November of 2022 that went undetected by antimalware engines on VirusTotal.

‍

‍“While this may be the first time a large ransomware group created ransomware capable of running on macOS, it’s worth noting that this sample is far from ready for prime time,” Apple security expert Patrick Wardle explained at the time.

‍

“From its lack of a valid code-signing signature to its ignorance of TCC and other macOS file-system protections, as it stands it poses no threat to macOS users.”

‍

Looks like that’s not the case anymore.

‍

Takeaway: NotLockBit is a deceptive cross-platform threat that targets both macOS and Windows systems, marking one of the first fully developed ransomware attacks for macOS that goes beyond prior proof-of-concept samples.  

‍

NotLockBit, written in the Go programming language, employs standard ransomware tactics: it encrypts files, deletes shadow copies to prevent recovery, and exfiltrates data to maximize impact with a double-extortion approach.  

‍

Using RSA asymmetric encryption, NotLockBit generates and encrypts a master key, rendering decryption impossible without access to the attacker-held private key.

‍

Researchers who analyzed this ransomware suspect its distribution is in very early stages. Samples appeared on VirusTotal, suggesting that the ransomware's developers may be testing its impact.  

‍

We have already seen most major ransomware operators develop variants that target Linux systems. The emergence of macOS variants signifies a strategic move by attackers, whose traditional focus on Windows was largely due to its higher market share and return on investment.

‍

The development of Linux and macOS ransomware strains increases the addressable target range for threat actors and the level of disruption they can bring in a ransomware attack.  

‍

The more pain a ransomware operator can inflict on their target, and the more disruptive they can make an attack, the higher the ransom they can demand.

‍

‍

Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.