The NotLockBit ransomware targets Apple users with advanced file locking and data exfiltration
- macOS is facing an emerging ransomware threat, NotLockBit
- NotLockBit malware demonstrates file locking capabilities
- Apple’s built-in protection faces challenges from evolving ransomware threats
For years, ransomware attacks have primarily targeted Windows and Linux platforms, but cybercriminals are starting to shift their focus to macOS users, experts say.
The recent discovery of macOS.NotLockBit signals a shift in the landscape, as this newly identified malware, named after the infamous LockBit variant, could mark the start of more serious ransomware campaigns against Mac users.
Discovered by researchers at Trend Micro and later analyzed by Sentinel LabsmacOS.NotLockBit offers credible file locking and data interception capabilities, which poses a potential risk to macOS users.
macOS.NotLockBit threat
Ransomware that targets Mac devices often lacks the necessary tools to actually lock files or exfiltrate data. The general perception is that macOS is better protected against these types of threats, thanks in part to Apple’s built-in security features such as Transparency, Consent, and Control (TCC) protections. However, the emergence of macOS.NotLockBit indicates that hackers are actively developing more advanced methods to attack Apple devices.
macOS.NotLockBit functions similarly to other ransomware, but specifically targets macOS systems. The malware only runs on Intel-based Macs or Apple silicon Macs with Rosetta emulation software installed, which allows x86_64 binaries to run on newer Apple processors.
When executed, the ransomware collects system information including product name, version, and architecture. It also collects data on how long the system has been running since the last restart. Before locking the user’s files, macOS.NotLockBit attempts to exfiltrate data to a remote server using Amazon Web Services (AWS) S3 storage. The malware uses a public key for asymmetric encryption, meaning decryption without the attacker’s private key is virtually impossible.
The malware places a README.txt file in folders containing encrypted files. The encrypted files are marked with the extension “.abcd”, and the README instructs victims how to restore their files, usually by paying a ransom. Additionally, in later versions of the malware, macOS.NotLockBit displays a LockBit 2.0-themed desktop wallpaper, adopting the branding of the LockBit ransomware group.
Fortunately, Apple’s TCC protections remain a tough nut for macOS.NotLockBit to crack. These protections require user consent before granting access to sensitive folders or enabling control over processes such as system events. While this poses an obstacle to the ransomware’s full functionality, bypassing the TCC protection is not insurmountable, and security experts expect that future versions of the malware will develop ways to bypass these warnings.
Researchers at SentinelLabs and Trend Micro have not yet identified a specific distribution method and there are no known victims at this time. However, the rapid evolution of the malware, as evidenced by the increasing size and sophistication of each new instance, indicates that the attackers are actively working to improve its capabilities.
SentinelLabs has identified multiple versions of the malware, indicating that macOS.NotLockBit is still in active development. Early samples seemed lighter on functionality and focused solely on encryption. Later versions added data exfiltration capabilities and began using AWS S3 cloud storage to exfiltrate stolen files. The attackers hardcoded AWS credentials into the malware to create new repositories for storing victim data, although these accounts have since been deactivated.
In one of the most recent versions, macOS.NotLockBit requires macOS Sonoma, indicating that the malware developers are targeting some of the latest macOS versions. It also showed attempts at code obfuscation, indicating that the attackers are testing various techniques to evade detection by anti-virus software.