NotLockBit: Ransomware Discovery Serves As Wake-Up Call For Mac Users

Historically, Mac users haven’t had to worry about malware as much as their Windows-using cousins. 

Although malware targeting Apple devices actually predates viruses written for PCs, and there have been some families of malware that have presented a significant threat for both operating systems (for instance, the Word macro viruses that hit computers hard from 1995 onwards), it is generally the case that you’re simply a lot less likely to encounter malware on your Mac than you are on your Windows PC. 

But that doesn’t mean that Mac users should be complacent. And the recent discovery of a new malware strain emphasises that the threat – even if much smaller than on Windows – remains real. 

Security researchers at SentinelOne have warned that the new malware, dubbed “NotLockBit”, is targeting macOS systems – suggesting that cybercriminals are looking for victims who may have made the mistake of being more relaxed about their computer security. 

Although it was initially suspected that the malware was linked to the notorious LockBit ransomware gang, further analysis suggests that the threat is a distinct strain falsely claiming affiliation. 

In what could almost be described as a “false-flag” operation, NotLockBit uses LockBit’s signature desktop wallpaper in what seems to be an attempt to mislead victims and security researchers of its origin. 

NotLockBit claims to be version 2.0, and yet LockBit 3.0 was released some time ago, and key members of the LockBit gang have been arrested and its infrastructure seized. 

Previous ransomware threats against macOS users have been largely proof-of-concept or have not become widespread. 

The genuine LockBit ransomware group was responsible for producing a version of its ransomware for macOS last year, but because it was buggy and crashed easily it was not considered a serious threat. 

The new malware analysed by SentinelOne’s researchers has been distributed as an x86-64 binary – meaning that it will only run on Intel-based Macs and Macs using the Rosetta emulation service. 

According to experts NotLockBit appears to be “very much in development,” and there are currently no known victims of the malware or evidence that it is being actively distributed in the wild. 

But if you were to encounter NotLockBit, on a Mac that could run it, then it would attempt to exfiltrate files from your computer to AWS cloud storage buckets, encrypting data left behind on your Mac and adding a .abcd suffix to their filenames. 

The immediate threat of this particular ransomware sample has been reduced by its discovery, after the threat actors brought it to the attention of researchers by uploading to VirusTotal (seemingly in an attempt to see if any anti-virus products would detect it as malicious). 

That act prompted the security community to take action, and the AWS accounts used by the hackers during the data-exfiltration process have been removed. 

But we would be foolish to think that more work won’t be done on this and other Mac ransomware in the months and years ahead. As ever, companies whose workers use Macs would be wise to protect them with security solutions to reduce the chance of them being the weak link through which a malicious hacker can wreak havoc throughout an organisation.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.