Following LockBit’s systematic breakdown at the hands of law enforcement agencies, many threat actors are taking advantage of the situation, pretending to be the now dismantled ransomware gang and targeting victims across various operating systems. Researchers have discovered a new macOS malware family capable of encrypting files while impersonating the notorious ransomware gang.
SentinelOne researchers discovered the malware family, which they call NotLockBit. The distribution method is also different from that employed by MacOS malware families. NotLockBit is distributed as an x86_x64 binary, which indicates that the malware only works on Intel and Apple-powered macOS devices using the Rosetta emulation service.
According to SentinelOne, NotLockBit “appears to be very much in development.” At the moment, there are no known victims or distribution methods for the malware in the wild. However, given the effort the developers behind the malware have put into their work, the researchers do expect to see more action from this particular malware outfit.
The malware itself was spotted siphoning system information upon execution, and a public key was used to encrypt a randomly generated master key during the file encryption process. While encrypting files, the program adds a .abcd extension to the encrypted files, attempts to change the desktop background to a LockBit 2.0 banner, and promptly drops a ransom note in each folder with encrypted files.
Creating a decryptor from scratch might also be tricky. Since the malware relies on RSA asymmetric encryption, the master key cannot be decrypted without the private key, which, in this case, is held by an attacker. This creates an end-to-end encrypted connection between the attacker and the encrypted files, ensuring no third party can decrypt files without the attacker’s involvement.
NotLockBit isn’t the first new malware family to impersonate LockBit, but it is the first one to target macOS. Recently, researchers at Trend Micro also discovered another ransomware strain written in Golang trying to impersonate LockBit and specifically targeting Amazon Web Services (AWS) infrastructure to attack Windows and macOS systems.
In the News:US law enforcement using LocateX to unlawfully track citizens