New Ransomware Malware Can Target MacOS Devices

A new macOS malware family has emerged, posing a significant threat by mimicking the notorious LockBit ransomware. Security researchers have raised concerns about this malware, named NotLockBit, which is capable of encrypting files and utilizing double extortion tactics. This new strain has demonstrated unique features, such as targeting both Windows and macOS systems, and exploiting techniques typically associated with ransomware campaigns.

The Mechanics of NotLockBit

Written in the Go programming language, NotLockBit targets both Windows and macOS environments. Its functionality revolves around the same core tactics seen in other ransomware families: data theft, file encryption, and the deletion of shadow copies to prevent data recovery. What sets this malware apart is its ability to impersonate the LockBit ransomware group, which has been disrupted by law enforcement efforts in 2024.

SentinelOne, which first identified this malware, highlights that NotLockBit is distributed as an x86_64 binary, meaning it operates on both Intel-based macOS devices and Apple Silicon devices running Rosetta emulation software.

Once executed, NotLockBit begins by gathering system information and then uses a public key to encrypt a master key. This master key, generated during the file encryption process, is protected by RSA asymmetric encryption. This ensures that the master key cannot be decrypted without the private key held by the attacker, making data recovery almost impossible without paying the ransom.

The LockBit Impersonation

One of the most distinctive aspects of this malware is its impersonation of LockBit, a well-known ransomware group that was disrupted earlier in 2024. NotLockBit appends the .abcd extension to all encrypted files and drops a ransom note in each folder, similar to LockBit’s known tactics. It even goes so far as to replace the desktop wallpaper with a LockBit 2.0 banner, furthering the impersonation.

However, researchers note that this ransomware is not genuinely linked to the LockBit group. The impersonation is likely an attempt to leverage LockBit’s reputation in an effort to pressure victims into paying the ransom.

Data Exfiltration via AWS

Before encrypting files, NotLockBit exfiltrates victim data to an Amazon S3 bucket controlled by the attacker. This step is part of the double extortion strategy: threatening to release the victim’s data unless the ransom is paid. Trend Micro, another cybersecurity firm, revealed that the malware uses hardcoded AWS credentials for this process, either from a compromised or personal AWS account.

Trend Micro has since reported the malicious activity to Amazon Web Services (AWS), which promptly suspended both the AWS access keys and the associated account.

Who Is at Risk?

This new malware specifically targets macOS systems, marking one of the first fully functional ransomware threats on Apple’s operating system. Until now, macOS has been relatively safe from ransomware compared to Windows systems. However, this shift in tactics demonstrates that cybercriminals are increasingly focusing on expanding their target range. Both businesses and individual users who rely on macOS, especially those with Intel-based systems or Apple Silicon running Rosetta, are at risk.

Additionally, Windows systems are also susceptible, making it a cross-platform threat. This puts companies with mixed operating environments particularly at risk, especially if they do not have robust security measures in place.

How to Protect Yourself

1. Regular Backups: One of the best defenses against ransomware is maintaining regular backups of critical files. Ensure that backups are stored offline or in secure, isolated environments that cannot be easily accessed by malware.

2. Security Software: Use reputable antivirus and anti-malware software that is capable of detecting both known and emerging threats. Keeping your software up-to-date ensures that it can recognize and block new malware like NotLockBit.

3. Operating System Updates: Regularly update your macOS and Windows systems. Security patches often address vulnerabilities that malware exploits.

4. Cloud Security: If using cloud services like AWS, ensure that access is tightly controlled. Regularly audit and rotate access keys and implement multi-factor authentication (MFA) for added security.

5. Employee Awareness: Since ransomware often enters systems through phishing or social engineering attacks, it's crucial to educate employees about the risks of clicking on suspicious links or downloading unexpected attachments.

6. Network Segmentation: Isolate sensitive data from the rest of the network. In the event of an attack, this limits the spread of the ransomware and protects critical assets.

Looking Ahead

While NotLockBit is still in development, it represents a growing trend of ransomware groups targeting macOS systems. Although the AWS accounts linked to the malware have been taken down, there are no guarantees that the threat won’t evolve further. As cybercriminals refine their tactics, it is likely that we will see more sophisticated ransomware targeting both macOS and Windows systems.

The best defense is to remain vigilant, regularly update systems, and have contingency plans in place, such as reliable backups and comprehensive cybersecurity measures. By staying informed and proactive, individuals and organizations can mitigate the risk of falling victim to this and other ransomware threats.