Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Researchers warn that NotLockBit, a new malware family mimicking LockBit ransomware, can impact Windows and macOS systems.
The malware appears to be the first fully functional ransomware targeting macOS systems, moving beyond previous proof-of-concept (PoC) samples.
What is NotLockBit Ransomware
Security researchers say NotLockBit is a Go-written malware. Like many other ransomware strains, it aims to achieve double extortion:
- it encrypts files to make them unreadable by the victim
- it deletes shadow copies to prevent data recovery
NotLockBit tags the encrypted files with the “.abcd” extension. Then it leaves a ransom note in each corrupted folder and tries to change the desktop wallpaper with a LockBit 2.0 banner.
The malware uses RSA asymmetric encryption, which means that the master key cannot be decrypted without the private key.
Before it starts the encryption process, the ransomware exfiltrates the data to an attacker-controlled Amazon S3 bucket. It uses hardcoded AWS credentials for that. Researchers told SecurityWeek.com that:
We suspect the ransomware author to be either using their own AWS account or a compromised AWS account. We came across more than thirty samples possibly from the same author, signaling that this ransomware is being actively developed and tested
Source – SecurityWeek.com
For the moment, they’ve reported the malicious activity to AWS, which suspended the access keys and the associated account.
However, security teams running macOS systems should remain on guard, as the threat remains fully functional.
How to keep macOS systems safe from NotLockBit
DNS filtering as part of a layered defense strategy is one of the most effective ransomware prevention tools.
To steal and encrypt your data, hackers need to deploy the ransomware on your computer. Further on, they must establish a connection with the Command-and-control center to install additional malware. Finally, they’ll have to use another connection to exfiltrate the data to the C2. All these three steps mean the hacker must obtain a connection between the computer and a malicious domain. Here’s where DNS filtering comes into play.
Best DNS security software run engines that can detect and block malicious domains even if no one flags them as such. If an employee opens a phishing email and clicks on a malicious link, the DNS filter will recognize the domain as harmful even if it hasn’t been blacklisted. So, it will block the connection on the spot. No malicious communication, no malware deployment, no harm done.
Check out here how Heimdal’s DNS Security Network uses AI and machine learning based behavior analysis to stop ransomware attacks on various OSes.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube.
