Heimdal
article featured image

Contents:

Researchers warn that NotLockBit, a new malware family mimicking LockBit ransomware, can impact Windows and macOS systems.

The malware appears to be the first fully functional ransomware targeting macOS systems, moving beyond previous proof-of-concept (PoC) samples.

What is NotLockBit Ransomware

Security researchers say NotLockBit is a Go-written malware. Like many other ransomware strains, it aims to achieve double extortion:

  • it encrypts files to make them unreadable by the victim
  • it deletes shadow copies to prevent data recovery

NotLockBit tags the encrypted files with the “.abcd” extension. Then it leaves a ransom note in each corrupted folder and tries to change the desktop wallpaper with a LockBit 2.0 banner.

The malware uses RSA asymmetric encryption, which means that the master key cannot be decrypted without the private key.

ransomware encryption protection (2)

Before it starts the encryption process, the ransomware exfiltrates the data to an attacker-controlled Amazon S3 bucket. It uses hardcoded AWS credentials for that. Researchers told SecurityWeek.com that:

We suspect the ransomware author to be either using their own AWS account or a compromised AWS account. We came across more than thirty samples possibly from the same author, signaling that this ransomware is being actively developed and tested

Source – SecurityWeek.com

For the moment, they’ve reported the malicious activity to AWS, which suspended the access keys and the associated account.

However, security teams running macOS systems should remain on guard, as the threat remains fully functional.

dns filtering prevents ransomware

How to keep macOS systems safe from NotLockBit

DNS filtering as part of a layered defense strategy is one of the most effective ransomware prevention tools.

To steal and encrypt your data, hackers need to deploy the ransomware on your computer. Further on, they must establish a connection with the Command-and-control center to install additional malware. Finally, they’ll have to use another connection to exfiltrate the data to the C2. All these three steps mean the hacker must obtain a connection between the computer and a malicious domain. Here’s where DNS filtering comes into play.

Best DNS security software run engines that can detect and block malicious domains even if no one flags them as such. If an employee opens a phishing email and clicks on a malicious link, the DNS filter will recognize the domain as harmful even if it hasn’t been blacklisted. So, it will block the connection on the spot. No malicious communication, no malware deployment, no harm done.

Check out here how Heimdal’s DNS Security Network uses AI and machine learning based behavior analysis to stop ransomware attacks on various OSes.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE