Researchers from two cybersecurity firms are analyzing a new macOS malware sample that appeared in the wild. Its the first variant that demonstrates ‘credible file locking and data exfiltration capabilities.’
Threat actors are actively developing new ransomware variant capable of affecting Intel Macs and Apple silicon Macs with the Rosetta emulation software installed. In active development since at least January, 2024, the malware evolved adding new tools and is now capable to exfiltrate and encrypt user’s files.
Trend Micro was the first to discover the latest malicious binary in October. Behind it, an unknown gang masquerades as the infamous LockBit. However, it appears that a completely different threat actor is developing the ransomware.
Due to capitalization of the infamous name, SentinelOne researchers dubbed the new malware “NotLockBit.” Trend Micro calls it Golang after samples written in Go language.
If executed, the ransomware first gathers system information from the hist, reading the property list file SystemVersion.plist. Here, it gathers the system’s name, version, and build and adds a query to collect additional information.
It attempts exfiltrating user’s data to a remote server. In the observed sample, the threat actor abuses AWS S3 could functionality. The malware creates new repositories on the attackers Amazon S3 instance, which is now defunct.
NotLockBit uses an embedded public key, which suggests capabilities of asymmetric encryption, for which decryption is impossible without access to the private key held by the attacker.
The malware uses this public key to lock another randomly generated key, which in turn, is used to encrypt the user’s data. NotLockBit writes decryption key to a README.txt file which is stored in each folder containing encrypted files but inaccessible without the threat actor’s key.
Finally, NotLockBit changes the desktop wallpaper to a ransom note.
“In all versions of this malware, the attackers are hindered somewhat by Apple’s TCC protections. Multiple alerts require consent as the malware attempts to traverse certain directories and control processes such as System Events. Given that bypassing TCC is reasonably trivial, we would expect to see development in this area in future versions,” SentinelOne warns.
Up until now, Macs were considered to be safe from ransomware threats, as any previous attempts had been, at best, ‘proof of concept’ and, at worst, entirely incapable of succeeding at the task.
Ransomware on macOS still remains an unlikely threat, researchers claim. However, threat actors increasingly employ double extortion methods, combining infostealers with file lockers. The new developments demonstrate that ransomware attacks may become viable.
“The NotLockBit malware appears to be very much in development,” SentinelOne researchers said. “We would be surprised not to see more from this actor in the short to medium term.”
For now, there are no known victims or distribution methods for the ransomware.
Your email address will not be published. Required fields are markedmarked