The NotLockBit ransomware targets Apple users with sophisticated file-locking and data-extraction techniques.

The recent identification of a new type of malware, known as macOS.NotLockBit, signals a growing concern in the field of cybersecurity, as attackers seem to be directing their efforts towards macOS users. This malware, named after the infamous LockBit variant, exhibits file encryption and data exfiltration capabilities, posing a potential risk to Apple devices.

Researchers from Trend Micro and SentinelLabs have analyzed this new malicious software and found that, although ransomware attacks have focused on platforms like Windows and Linux, they may now be increasingly targeting Mac users. Despite being considered to have better defenses against such threats, the emergence of macOS.NotLockBit indicates that cybercriminals are developing more sophisticated techniques to compromise Apple devices.

The functioning of macOS.NotLockBit is similar to that of other types of ransomware, although with a focus uniquely on macOS systems. This malware can only run on Intel-based Macs, as well as on Apple Silicon Macs that have the Rosetta emulation software installed. When activated, it gathers system information, including the product version and architecture, as well as data about the time elapsed since the last reboot. Before encrypting the user's files, it attempts to exfiltrate data to a remote server using Amazon Web Services (AWS) S3 storage.

To further complicate matters, the malware employs an asymmetric encryption system that requires a private key to decrypt the files, making recovery without the attacker’s intervention nearly impossible. Additionally, it creates a README.txt file in directories containing the encrypted files, providing victims with instructions on how to retrieve their data in exchange for a ransom. More recent versions of the malware feature a LockBit 2.0 themed wallpaper, reinforcing its association with the LockBit ransomware group.

Despite these threats, the TCC (Transparency, Consent, and Control) protections integrated into macOS remain a significant obstacle to the effectiveness of macOS.NotLockBit. These security measures require user consent before allowing access to sensitive directories, partially limiting the capabilities of the ransomware. However, security experts warn that attackers may eventually find ways to circumvent these protective mechanisms.

So far, researchers have not determined a specific distribution method, nor have any victims of the new malware been reported. Nonetheless, the rapid evolution of macOS.NotLockBit, characterized by an increase in the complexity of each new version, suggests that attackers are intensely committed to enhancing their capabilities. Initial samples of the malware focused solely on encryption, while recent versions have included data exfiltration functions and the use of AWS S3 cloud storage to store stolen files.

One of the latest versions of macOS.NotLockBit requires macOS Sonoma, indicating that the malware developers are adapting to the latest versions of the operating system. They have also begun implementing techniques to obfuscate the code, suggesting that they are testing methods to evade detection by antivirus software.