The Rise of MacOS Ransomware: A Closer Look at the NotLockBit Malware

Ransomware has long been a menace for Windows users, but now it seems that MacOS devices are also becoming targets for cyber threats. A recent report from SentinelLabs has shed light on a new strain of ransomware targeting Apple’s macOS devices, known as macOS NotLockBit.

Discovering NotLockBit

SentinelLabs researchers recently uncovered samples of macOS malware that masquerade as LockBit ransomware. This new strain, named macOS NotLockBit, is designed to run on Intel Macs or Apple silicon Macs with Rosetta emulation software.

Upon execution, the ransomware gathers system information before attempting to exfiltrate the user’s data to a remote server. The encryption process involves an embedded public key that makes decryption without the private key held by the attacker impossible.

After encrypting the user’s files, the malware changes the desktop wallpaper and displays a LockBit 2.0 banner, even though it does not actually use any LockBit builders.

The Impact of LockBit Builders

The leaked LockBit 3.0 builder has made ransomware tools more accessible to lower-skilled hackers, leading to an increase in LockBit-branded activity despite disruptions within the LockBit group itself. This ease of access has allowed less experienced hackers to cause chaos and mayhem through ransomware operations.

Although the group behind macOS NotLockBit is leveraging the LockBit high-level reputation, it is clear that the malware does not directly use any LockBit builders. Instead, it simply displays a LockBit 2.0 banner.

The Future of MacOS Ransomware

One of the most intriguing aspects of the macOS NotLockBit campaign is its specific targeting of macOS devices, a relatively untapped market for ransomware actors. While MacOS systems have historically been resistant to ransomware threats, this new strain indicates a shift in the landscape.

Apple’s Transparency, Consent, and Control protections currently hinder the attackers, requiring multiple alerts and consent as the malware attempts to traverse directories and control processes. However, researchers predict that threat actors will develop ways to bypass these safeguards in future versions.

Despite being a relatively small threat at present, ransomware on MacOS is becoming increasingly viable. Threat actors have realized the potential for double extortion on Apple’s desktop platform, combining infostealers with file lockers for maximum impact.

As the cybersecurity landscape continues to evolve, it is essential for Apple users to remain vigilant and take precautions to protect their devices from emerging threats like macOS NotLockBit.

Stay informed and stay safe!