The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

NotLockBit Ransomware Targets MacOS

Nov 8, 2024 1:45:18 PM / by The Hivemind

NOTLOCKBIT

Executive Summary

NotLockBit is a ransomware family that mimics LockBit. NotLockBit is unique in that it is one of the first fully functional ransomware families to target MacOS systems.

Key Takeaways

  • NotLockBit is a ransomware family that mimics LockBit.
  • NotLockBit is written in Go and is distributed as an x86_64 binary.
  • While NotLockBit can target both Windows and MacOS systems, it is unique in that it is one of the first fully functional ransomware families to target MacOS systems.
  • PolySwarm analysts consider NotLockBit to be an emerging threat.

What is NotLockBit?

NotLockBit is a ransomware family that mimics LockBit. Although it can target both Windows and MacOS systems, NotLockBit is unique in that it is one of the first fully functional ransomware families to target MacOS systems. Previously observed MacOS ransomware rarely moved beyond proof-of-concept or small scale targeting to become a formidable threat. Trend Micro and Sentinel One recently reported on NotLockBit. 

NotLockBit is written in Go and is distributed as an x86_64 binary. NotLockBit deletes shadow copies to hinder data recovery efforts. Prior to encrypting victim files, NotLockBit exfiltrates victim data to a threat actor controlled Amazon S3 bucket, using hardcoded AWS credentials. For encryption, NotLockBit uses RSA asymmetric encryption. NotLockBit appends the .abcd extension to encrypted victim files. 

Following encryption, NotLockBit creates a ransom note in each encrypted folder and replaces the desktop wallpaper with a LockBit 2.0 banner. However, industry researchers have found no evidence indicating NotLockBit has any affiliation with LockBit, hence the name. NotLockBit uses a double extortion model, demanding ransom to decrypt encrypted files and threatening to sell or leak stolen data if the ransom is not paid. PolySwarm analysts consider NotLockBit to be an emerging threat. 

IOCs

PolySwarm has multiple samples of NotLockBit.

 

14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31

2e62c9850f331799f1e4893698295d0b069ab04529a6db1bfc4f193fe6aded2c

aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec

 

You can use the following CLI command to search for all NotLockBit samples in our portal:

$ polyswarm link list -f NotLockBit

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

Topics: Threat Bulletin, Ransomware, Windows, LockBit, MacOS, NotLockBit

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More