CONFERENCE Now Live: CISO Forum Virtual Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

NotLockBit Ransomware Can Target macOS Devices

A file-encrypting malware family posing as the LockBit ransomware has been observed targeting macOS systems.

A new macOS malware family capable of encrypting files and pretending to be the LockBit ransomware is making the rounds, security researchers warn.

Written in Go and targeting both Windows and macOS systems, the threat employs the tactics typically observed in ransomware operations: it steals victim data for double extortion, encrypts files, and deletes shadow copies to prevent data recovery.

What makes the new malware family stand out from the crowd is the impersonation of LockBit, the notorious ransomware that was disrupted by law enforcement in February and September 2024.

According to SentinelOne, which calls it NotLockBit, the malware is distributed as an x86_64 binary, which suggests it only works on Intel and Apple silicon macOS devices running the Rosetta emulation software.

The threat was seen harvesting system information upon execution and using a public key to encrypt a randomly generated master key that is used during the file encryption process.

By relying on RSA asymmetric encryption, the threat actor behind NoLockBit ensures that the master key cannot be decrypted without the attacker-held private key.

NotLockBit appends the .abcd extension to the encrypted files, drops a ransom note in each folder containing encrypted files, and attempts to replace the desktop wallpaper to display a LockBit 2.0 banner.

In a recent report, Trend Micro revealed that, prior to starting the encryption process, the ransomware would exfiltrate the victim’s data to an attacker-controlled Amazon S3 bucket, using hardcoded AWS credentials.

Advertisement. Scroll to continue reading.

“We suspect the ransomware author to be either using their own AWS account or a compromised AWS account. We came across more than thirty samples possibly from the same author, signaling that this ransomware is being actively developed and tested,” Trend Micro warned.

The cybersecurity firm reported the observed activity to AWS, which suspended both the AWS access keys and the associated account.

According to SentinelOne, NotLockBit appears to be the first functional ransomware family targeting macOS systems, as previously observed attempts were mere proof-of-concept (PoC) samples.

“The NotLockBit malware appears to be very much in development. For now, the threat actor’s AWS accounts have been removed and there are no known victims or distribution methods in the wild. Given the amount of development that has gone into this threat so far, we would be surprised not to see more from this threat actor in the short to medium term,” SentinelOne notes.

Related: BlackCat Ransomware Successor Cicada3301 Emerges

Related: Ukrainian Malware Operator Pleads Guilty in US Court

Related: Industrial Giant Thyssenkrupp Again Targeted by Cybercriminals

Related: Electric Motor Giant Nidec Confirms Data Stolen in Ransomware Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Secure enterprise browser provider Menlo Security has appointed Bill Robbins as President.

Erik Rolf has joined Booz Allen Hamilton as the Business Information Security Officer (BISO) of Commercial Sector.

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.