- macOS faces an emerging ransomware threat, NotLockBit
- NotLockBit malware demonstrates file-locking capabilities
- Apple’s built-in protections face issues from evolving ransomware threats
For years, ransomware attacks have predominantly targeted Windows and Linux platforms, however cybercriminals have begun to shift their focus toward macOS users, experts have claimed.
The recent discovery of macOS.NotLockBit suggests a shift in the landscape, as this newly identified malware, named after the notorious LockBit variant, could mark the beginning of more serious ransomware campaigns against Mac users.
Discovered by researchers at Trend Micro and later analyzed by SentinelLabs, macOS.NotLockBit shows credible file-locking and data exfiltration capabilities, posing a potential risk to macOS users.
macOS.NotLockBit threat
Ransomware targeting Mac devices tends to lack the necessary tools to truly lock files or exfiltrate data. The general perception has been that macOS is better protected against these kinds of threats, partially due to Apple’s built-in security features, such as Transparency, Consent, and Control (TCC) protections. However, the emergence of macOS.NotLockBit signals that hackers are actively developing more sophisticated methods for targeting Apple devices.
macOS.NotLockBit functions similarly to other ransomware, but it specifically targets macOS systems. The malware only runs on Intel-based Macs or Apple silicon Macs with Rosetta emulation software installed, which allows it to execute x86_64 binaries on newer Apple processors.
Upon execution, the ransomware collects system information, including the product name, version, and architecture. It also gathers data on how long the system has been running since its last reboot. Before locking the user’s files, macOS.NotLockBit attempts to exfiltrate data to a remote server using Amazon Web Services (AWS) S3 storage. The malware employs a public key for asymmetric encryption, meaning decryption without the attacker’s private key is nearly impossible.
The malware drops a README.txt file in directories containing encrypted files. The encrypted files are marked with an “.abcd” extension, and the README instructs victims on how to recover their files, typically by paying a ransom. Additionally, in later versions of the malware, macOS.NotLockBit displays a LockBit 2.0-themed desktop wallpaper, co-opting the branding of the LockBit ransomware group.
Thankfully, Apple’s TCC protections remain a hard nut for macOS.NotLockBit to crack. These safeguards require user consent before granting access to sensitive directories or allowing control over processes like System Events. While this creates a hurdle for the ransomware’s full functionality, bypassing TCC protection is not insurmountable, and security experts expect that future iterations of the malware may develop ways to circumvent these alerts.
Researchers from SentinelLabs and Trend Micro have not yet identified a specific distribution…
Read full post on Tech Radar
Discover more from Technical Master - Gadgets Reviews, Guides and Gaming News
Subscribe to get the latest posts sent to your email.
