Introduction
A new cyber threat has emerged, targeting both Windows and macOS devices [8]. Identified as ‘macOS NotLockBit’ by SentinelLabs [6], this ransomware mimics the notorious LockBit ransomware, exploiting its reputation to deceive victims and security researchers. Notably, it is the first fully functional ransomware specifically designed for macOS [4], surpassing previous proof-of-concept samples [4].
Description
A cyber threat actor has been utilizing an old LockBit builder to experiment with ransomware targeting both Windows and Apple’s macOS devices [6], identified as ‘macOS NotLockBit’ by SentinelLabs [6]. This sophisticated strain of malware mimics the well-known LockBit ransomware, leveraging the group’s reputation to mislead victims and security researchers while enhancing its profile to evade law enforcement. NotLockBit is notable for being the first fully functional ransomware specifically targeting macOS [4], surpassing previous proof-of-concept samples [4]. Written in the Go programming language [7], it is distributed as an x86-64 binary [3] [7], designed to run on Intel Macs or Apple silicon Macs with Rosetta emulation [6].
Upon execution [1] [6] [8] [9], NotLockBit collects system information [6], including the host machine’s UUID [9], and generates a master key for file encryption [9]. It scans the system’s root directory on macOS [8], specifically targeting valuable files such as documents and images while avoiding certain directories to evade detection. The ransomware attempts to exfiltrate user data to an attacker-controlled Amazon S3 bucket, reportedly abusing Amazon S3’s Transfer Acceleration feature for this purpose [9], using hardcoded AWS credentials [2] [4]. While encrypting remaining data on the Mac [3], it employs RSA 2048 asymmetric encryption with an embedded public key, making unauthorized decryption efforts difficult without the attacker’s private key [5]. The ransomware encrypts files based on their extensions [9], renaming them using the format: [original file name].[initialization vector [1] [2] [10]].abcd, such as changing “1.jpg” to “1.jpg.3544329bb141eea628f7c3bff6c79c11.abcd.” It also generates a ransom note with payment instructions, often requiring cryptocurrency [10], and threatens permanent data loss if the ransom is not paid within a specified timeframe [10]. Additionally, it places a README.txt file in each folder and alters the device’s wallpaper using the “osascript” command to display a LockBit 2.0 banner, likely to coerce victims into paying [9].
Despite the name association [6], macOS NotLockBit does not utilize any LockBit builders and is not affiliated with the original LockBit group, which has been significantly impacted by law enforcement actions [6]. The genuine LockBit group had previously developed a macOS version of their ransomware [3], but it was deemed ineffective due to bugs [3]. The LockBit 3.0 builder [6], released in March 2022 [6], has been leaked [6] [7], allowing lower-skilled hackers to access ransomware tools; however [6], current activity related to macOS NotLockBit does not reflect the original LockBit group’s operations [6].
The discovery of NotLockBit has mitigated its immediate threat [3], as the threat actors inadvertently alerted researchers by uploading it to VirusTotal [3], prompting action from the security community that led to the suspension of the AWS accounts used for data exfiltration [3]. Although the malware appears to be in development and has not been observed in active attacks [7], there is evidence of ongoing development [5], and ongoing vigilance is necessary [3], as further variants of this malware may emerge in the future. NotLockBit is designed to exploit user behavior [5], particularly their tendency to bypass warning messages from the macOS transparency [5], consent [5], and control (TCC) framework [5].
To protect macOS systems from NotLockBit [4], implementing DNS filtering as part of a layered defense strategy is recommended [4]. This approach can effectively prevent ransomware deployment by blocking connections to malicious domains [4], disrupting the necessary steps for hackers to steal and encrypt data [4], thereby mitigating potential harm [4]. Organizations with Mac users should implement security solutions to safeguard against potential threats [3], as the use of double extortion tactics—combining data theft and file encryption—is on the rise [9], despite macOS ransomware remaining a relatively small threat [9]. Additionally, practicing safe online behavior [1], maintaining regular backups on external drives or secure cloud storage [1], and keeping antivirus and anti-malware software updated are crucial steps [1]. Regular updates to operating systems [1], browsers [1], and software can help close security gaps [1], while users should remain vigilant against suspicious emails [1], attachments [1], and links [1] [4] [7], exercising caution when downloading files from unknown sources [1]. Paying the ransom does not guarantee the return of the decryption key [10], leaving victims vulnerable [10]. SentinelOne customers are protected from all variants of this malware both pre- and on-execution [9].
Conclusion
The emergence of macOS NotLockBit highlights the evolving landscape of ransomware threats, particularly targeting macOS systems. While its immediate threat has been mitigated, the potential for future variants necessitates ongoing vigilance and robust security measures. Organizations and individuals must adopt comprehensive defense strategies, including DNS filtering [4], regular software updates, and safe online practices, to protect against such sophisticated threats. The rise of double extortion tactics further underscores the importance of maintaining secure backups and exercising caution with digital interactions.
References
[1] https://www.cyclonis.com/remove-notlockbit-ransomware/
[2] https://blogs.npav.net/blogs/post/ransomware-gangs-impersonate-lockbit-to-intimidate-victims-and-leverage-aws-in-latest-attacks
[3] https://www.tripwire.com/state-of-security/notlockbit-rransomware-discovery-serves-wake-call-mac-users
[4] https://heimdalsecurity.com/blog/notlockbit-ransomware-targets-both-windows-and-macos/
[5] https://www.channele2e.com/brief/apple-computers-targeted-with-macos-notlockbit-ransomware
[6] https://www.infosecurity-magazine.com/news/macos-ransomware-attempts-leverage/
[7] https://www.heise.de/en/news/Security-researchers-have-discovered-functional-macOS-malware-9993694.html
[8] https://www.pcrisk.com/removal-guides/31354-notlockbit-ransomware
[9] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-43-6/
[10] https://www.itfunk.org/cyber-threats/ransomware/notlockbit-ransomware-removal/