Executive Summary
NotLockBit is a ransomware family that mimics LockBit. NotLockBit is unique in that it is one of the first fully functional ransomware families to target MacOS systems.
Key Takeaways
- NotLockBit is a ransomware family that mimics LockBit.
- NotLockBit is written in Go and is distributed as an x86_64 binary.
- While NotLockBit can target both Windows and MacOS systems, it is unique in that it is one of the first fully functional ransomware families to target MacOS systems.
- PolySwarm analysts consider NotLockBit to be an emerging threat.
What is NotLockBit?
NotLockBit is a ransomware family that mimics LockBit. Although it can target both Windows and MacOS systems, NotLockBit is unique in that it is one of the first fully functional ransomware families to target MacOS systems. Previously observed MacOS ransomware rarely moved beyond proof-of-concept or small scale targeting to become a formidable threat. Trend Micro and Sentinel One recently reported on NotLockBit.
NotLockBit is written in Go and is distributed as an x86_64 binary. NotLockBit deletes shadow copies to hinder data recovery efforts. Prior to encrypting victim files, NotLockBit exfiltrates victim data to a threat actor controlled Amazon S3 bucket, using hardcoded AWS credentials. For encryption, NotLockBit uses RSA asymmetric encryption. NotLockBit appends the .abcd extension to encrypted victim files.
Following encryption, NotLockBit creates a ransom note in each encrypted folder and replaces the desktop wallpaper with a LockBit 2.0 banner. However, industry researchers have found no evidence indicating NotLockBit has any affiliation with LockBit, hence the name. NotLockBit uses a double extortion model, demanding ransom to decrypt encrypted files and threatening to sell or leak stolen data if the ransom is not paid. PolySwarm analysts consider NotLockBit to be an emerging threat.
IOCs
PolySwarm has multiple samples of NotLockBit.
14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
2e62c9850f331799f1e4893698295d0b069ab04529a6db1bfc4f193fe6aded2c
aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec
You can use the following CLI command to search for all NotLockBit samples in our portal:
$ polyswarm link list -f NotLockBit
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.