Beware of the NotLockBit threat targeting Windows and Mac users.
Although it would be nice to think that recent law enforcement operations disrupting attack infrastructure and leading to the arrests of cybercriminals and the breaking up of certain threat groups have put a stop to the ransomware epidemic, it would also be wrong. Not only is the ransomware threat very much alive but evolving, as a newly published research analysis into the NotLockBit, cross-platform, self-deleting cyberattack has confirmed. Here’s what Windows and Mac users need to know.
The NotLockBit Cyberattack Threat To Windows And Mac Users
A newly published technical deep dive into the NotLockBit ransomware attack family, written by Qualys senior engineer of threat research, Pranita Pradeep Kulkarni, has confirmed that not only is the threat cross-platform but devious in employing a self-deleting mechanism to obfuscate cyberattacks. Although the malware family itself isn’t new, I published an Oct. 28 report on NotLockBit attacking Intel-powered Apple Macs, the threat is constantly evolving.
The NotLockBit malware gets the name from the fact that it “actively mimics the behavior and tactics of the well-known LockBit ransomware,” Kulkarni said, targeting macOS and Windows systems, showcasing “a high degree of sophistication while maintaining compatibility with both operating systems, highlighting its cross-platform capabilities.” This latest analysis revealed that the latest evolution of the NotLockBit ransomware has many advanced capabilities: targeted file encryption, data exfiltration and self-deletion mechanisms.
Self-Deleting Cyberattack Eliminates All Traces Of Itself From The Victim’s System
Like pretty much all ransomware these days, NotLockBit encrypts files after exfiltrating data to storage under the attacker’s control, where it can be used for extortion purposes. Such data, depending on the sensitivity, can be held to ransom against a threat of publication to a leak site or sale to the highest criminal bidder.
Unlike all ransomware, however, NotLockBit can delete itself to hide all traces of the cyberattack. “After completing its execution, the malware deletes itself through unlink activity,” Kulkarni said, “this is a self-removal mechanism designed to eliminate traces of its presence from the victim’s system.” Based on samples analyzed by Qualys, NotLockBit primarily targets files with extensions including .csv, .doc, .png, .jpg, .pdf, .txt, .vmdk, .vmsd and .vbox “as they often represent valuable or sensitive data typically found in personal or professional environments.”
The investigation into NotLockBit ransomware revealed an increasingly sophisticated threat, the report concluded, and one that as I’ve said, continues to evolve in order to maximize its impact. “It employs a combination of targeted encryption strategies, deceptive methods like mimicking well-known ransomware families,” Kulkarni concluded, “self-deletion mechanisms to minimize forensic traces.” Qualys recommended that users understand that this means there is a critical need for “proactive endpoint detection, threat hunting and incident response capabilities” if such ransomware cyberattack campaigns are to be effectively mitigated against.
