New “NotLockBit” Ransomware Attack Windows and macOS

A sophisticated new ransomware family, dubbed NotLockBit, is creating waves in the cybersecurity world with its advanced capabilities and cross-platform functionality. Mimicking the techniques of the infamous LockBit ransomware, NotLockBit has proven to be a formidable new threat, targeting both macOS and Windows operating systems with tailored attack strategies.

Distributed as an x86_64 binary written in the Go programming language, NotLockBit is packed with advanced features that enhance its efficiency and destructiveness. Key functionalities include:

• Targeted File Encryption: The ransomware uses robust encryption protocols like AES and RSA to encrypt sensitive data, rendering it inaccessible without the attacker’s private decryption key.
• Data Exfiltration: Stolen data is transferred to attacker-controlled repositories, such as Amazon S3 buckets, enabling double -extortion, threatening both data loss and data exposure.
• Self-Deletion Mechanisms: To eliminate recovery options, NotLockBit deletes its own traces, including shadow copies and its execution binary.

Cybersecurity researchers at Qualys identified NotLockBit as an advanced and highly adaptive ransomware strain. “This new variant demonstrates significant sophistication, combining encryption, data theft, and self-removal to maximize its impact,” the researchers noted.

Technical Breakdown: How NotLockBit Works

Upon execution, NotLockBit initiates a detailed reconnaissance phase, particularly optimized for macOS environments. Using the go-sysinfo module, the ransomware gathers extensive system information, including:

• Hardware specifications
• Operating system version
• Network configurations
• Unique identifiers (UUIDs)

The ransomware employs a multi-step encryption strategy:

1. Decodes an embedded RSA public key from a PEM file.
2. Generates a random master encryption key, encrypted using the extracted RSA public key.
3. Encrypts user files, circumventing critical system directories such as /proc/, /sys/, and /dev/.

Encrypted files retain their original location but are renamed with a unique identifier followed by an .abcd extension. The original files are deleted, making file recovery without the private decryption key nearly impossible.

NotLockBit prioritizes a wide range of file types to maximize damage, including:

• Personal documents: .doc, .pdf, .txt
• Professional files: .csv, .xls, .ppt
• Multimedia: .jpg, .png, .mpg
• Virtual machine data: .vmdk, .vmsd, .vbox

This deliberate selection highlights the ransomware’s focus on high-value data.

In addition to encryption, NotLockBit exfiltrates sensitive files to attacker-controlled cloud storage, primarily leveraging Amazon S3 buckets. This allows attackers to threaten victims with public release or sale of stolen data, increasing pressure to pay the ransom.

For macOS users, NotLockBit employs the osascript command to programmatically change the desktop background, replacing it with a ransom note. This serves as a visual marker of the attack’s conclusion.

The ransomware wraps up its attack by executing a self-deletion mechanism:

• Removing its binary from the infected system.
• Deleting shadow copies to hinder recovery efforts.

NotLockBit employs varying levels of obfuscation to hinder detection and analysis. While some samples exhibit visible function names, others are fully obfuscated or stripped, complicating reverse-engineering efforts. Certain variants omit data exfiltration entirely, suggesting ongoing development or customization for specific attack scenarios.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Detection and Mitigation Strategies

Given the sophistication of NotLockBit, robust detection and mitigation measures are essential. Qualys has confirmed the ability of its EDR & EPP solutions to detect and quarantine the ransomware upon download.

To combat ransomware threats like NotLockBit, organizations are advised to implement the following best practices:

1. Regular Backups: Maintain offline backups of critical data to ensure recovery options.
2. Endpoint Protection: Deploy advanced detection solutions to identify malicious behaviors early.
3. Network Security: Use firewalls, intrusion detection systems (IDS), and strict access controls.
4. Employee Training: Educate users on recognizing phishing and other social engineering tactics.

The emergence of a cross-platform ransomware family like NotLockBit marks a concerning evolution in the ransomware landscape. Its ability to target both macOS and Windows systems, combined with advanced obfuscation, data theft, and a self-deleting mechanism, underscores the growing sophistication of modern cyberattacks.

Security professionals need to maintain vigilance, as NotLockBit and other emerging threats continue to expand the capabilities of ransomware. Comprehensive defenses, proactive monitoring, and continuous education will be critical in mitigating the impact of these advanced threats.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide