- macOS faces an emerging ransomware threat, NotLockBit
- NotLockBit malware demonstrates file-locking capabilities
- Apple’s built-in protections face issues from evolving ransomware threats
For years, ransomware attacks have predominantly targeted Windows and Linux platforms, however cybercriminals have begun to shift their focus toward macOS users, experts have claimed.
The recent discovery of macOS.NotLockBit suggests a shift in the landscape, as this newly identified malware, named after the notorious LockBit variant, could mark the beginning of more serious ransomware campaigns against Mac users.
Discovered by researchers at Trend Micro and later analyzed by SentinelLabs, macOS.NotLockBit shows credible file-locking and data exfiltration capabilities, posing a potential risk to macOS users.
macOS.NotLockBit threat
Ransomware targeting Mac devices tends to lack the necessary tools to truly lock files or exfiltrate data. The general perception has been that macOS is better protected against these kinds of threats, partially due to Apple‘s built-in security features, such as Transparency, Consent, and Control (TCC) protections. However, the emergence of macOS.NotLockBit signals that hackers are actively developing more sophisticated methods for targeting Apple devices.
macOS.NotLockBit functions similarly to other ransomware, but it specifically targets macOS systems. The malware only runs on Intel-based Macs or Apple silicon Macs with Rosetta emulation software installed, which allows it to execute x86_64 binaries on newer Apple processors.
Upon execution, the ransomware collects system information, including the product name, version, and architecture. It also gathers data on how long the system has been running since its last reboot. Before locking the user’s files, macOS.NotLockBit attempts to exfiltrate data to a remote server using Amazon Web Services (AWS) S3 storage. The malware employs a public key for asymmetric encryption, meaning decryption without the attacker’s private key is nearly impossible.
The malware drops a README.txt file in directories containing encrypted files. The encrypted files are marked with an “.abcd” extension, and the README instructs victims on how to recover their files, typically by paying a ransom. Additionally, in later versions of the malware, macOS.NotLockBit displays a LockBit 2.0-themed desktop wallpaper, co-opting the branding of the LockBit ransomware group.
Thankfully, Apple’s TCC protections remain a hard nut for macOS.NotLockBit to crack. These safeguards require user consent before granting access to sensitive directories or allowing control over processes like System Events. While this creates a hurdle for the ransomware’s full functionality, bypassing TCC protection is not insurmountable, and security experts expect that future iterations of the malware may develop ways to circumvent these alerts.
Researchers from SentinelLabs and Trend Micro have not yet identified a specific distribution method, and there are no known victims at present. However, the rapid evolution of the malware demonstrated by the increasing size and sophistication of each new sample indicates that the attackers are actively working on improving its capabilities.
SentinelLabs identified multiple versions of the malware, suggesting that macOS.NotLockBit is still in active development. Early samples appeared lighter in functionality, focusing solely on encryption. Later versions added data exfiltration capabilities and began employing AWS S3 cloud storage to exfiltrate stolen files. The attackers hardcoded AWS credentials into the malware to create new repositories for storing victim data, though these accounts have since been deactivated.
In one of its most recent versions, macOS.NotLockBit requires macOS Sonoma, indicating that the malware developers are targeting some the latest macOS versions. It also showed attempts at obfuscating code, suggesting that the attackers are testing various techniques to evade detection by antivirus software.