A new macOS malware family capable of encrypting files and pretending to be the LockBit ransomware is making the rounds, security researchers warn.
Written in Go and targeting both Windows and macOS systems, the threat employs the tactics typically observed in ransomware operations: it steals victim data for double extortion, encrypts files, and deletes shadow copies to prevent data recovery.
What makes the new malware family stand out from the crowd is the impersonation of LockBit, the notorious ransomware that was disrupted by law enforcement in February and September 2024.
According to SentinelOne, which calls it NotLockBit, the malware is distributed as an x86_64 binary, which suggests it only works on Intel and Apple silicon macOS devices running the Rosetta emulation software.
The threat was seen harvesting system information upon execution and using a public key to encrypt a randomly generated master key that is used during the file encryption process.
By relying on RSA asymmetric encryption, the threat actor behind NoLockBit ensures that the master key cannot be decrypted without the attacker-held private key.
NotLockBit appends the .abcd extension to the encrypted files, drops a ransom note in each folder containing encrypted files, and attempts to replace the desktop wallpaper to display a LockBit 2.0 banner.
In a recent report, Trend Micro revealed that, prior to starting the encryption process, the ransomware would exfiltrate the victim’s data to an attacker-controlled Amazon S3 bucket, using hardcoded AWS credentials.
“We suspect the ransomware author to be either using their own AWS account or a compromised AWS account. We came across more than thirty samples possibly from the same author, signaling that this ransomware is being actively developed and tested,” Trend Micro warned.
The cybersecurity firm reported the observed activity to AWS, which suspended both the AWS access keys and the associated account.
According to SentinelOne, NotLockBit appears to be the first functional ransomware family targeting macOS systems, as previously observed attempts were mere proof-of-concept (PoC) samples.
“The NotLockBit malware appears to be very much in development. For now, the threat actor’s AWS accounts have been removed and there are no known victims or distribution methods in the wild. Given the amount of development that has gone into this threat so far, we would be surprised not to see more from this threat actor in the short to medium term,” SentinelOne notes.
Related: BlackCat Ransomware Successor Cicada3301 Emerges
Related: Ukrainian Malware Operator Pleads Guilty in US Court
Related: Industrial Giant Thyssenkrupp Again Targeted by Cybercriminals
Related: Electric Motor Giant Nidec Confirms Data Stolen in Ransomware Attack