Mysterious NotLockBit Ransomware Attacks Windows & Mac

Why Trust Techopedia

Cybersecurity experts have uncovered a sophisticated new ransomware strain dubbed NotLockBit, which is capable of breaching both macOS and Windows systems — something that even its predecessor, the infamous LockBit, struggled to achieve.

This development comes in the wake of the December 20, 2024, U.S. Department of Justice announcement revealing the arrest of a dual Russian-Israeli national allegedly responsible for developing the original LockBit ransomware.

With LockBit’s empire now dismantled, a power vacuum in the ransomware world seems to have given rise to NotLockBit, which impersonates its predecessor while operating in stealth.

Techopedia explores the mystery behind NotLockBit’s tactics, its implications for cybersecurity, and what its rise signals for the future of ransomware.

Key Takeaways

  • NotLockBit is a new ransomware strain capable of breaching macOS and Windows systems.
  • It impersonates the notorious LockBit while using advanced stealth tactics.
  • The ransomware self-deletes after encrypting and exfiltrating data to avoid detection.
  • Cybersecurity experts are investigating its connection to the now-defunct LockBit group.
  • NotLockBit signals the rise of cross-platform ransomware with growing sophistication.

Unlike traditional ransomware groups that seek notoriety by claiming the credit, NotLockBit hides in the shadows, leaving more questions than answers.

Its cross-platform compatibility, advanced encryption methods, and ability to self-delete make it quite the threat. Could this be the work of an entirely new actor, or is LockBit quietly continuing its legacy under a new guise?

Advertisements

LockBit, which terrorized all industries with ransomware attacks, was the leading ransomware-as-a-service (RaaS) player. The power vacuum left behind is believed to play a role in the development of NotLockBit.

The developers, distributors, and infrastructure of those behind NotLockBit are unknown — a rare case in the ransomware industry.

Unlike other ransomware attacks, where cybercriminals thrive and gain a reputation by claiming credit for their malware, NotLockBit chooses to play in the shadows and impersonates LockBit.

It is dubbed NotLockBit for claiming to be LockBit in its ransomware notes, and imitates the technical tactics and attack techniques of LockBit.

As mentioned, this malware can breach both macOS and Windows — a feat that even LockBit failed to accomplish in its days of glory due to the security level of Apple devices.

Let’s dive into how it does that.

NotLockBit: In and Out, Encrypt-Extract, and Self-Delete

On December 18, Qualys threat research experts released the latest investigation into NotLockBit ransomware samples.

Their analysis found that the ransomware first gathers critical information about the breached Mac and then generates the encryption key, encrypts, and exfiltrates data.

The attack ends with a screen on which black hat hackers claim in their ransomware note that they are LockBit.

Ransomware note left by NotLockBit, pretending to be LockBit
Ransomware note left by NotLockBit, pretending to be LockBit. (Qualys)

Interestingly, NotLockBit self-deletes itself to leave no digital footprints behind.

Qualys experts described NotLockBit as “having a high degree of sophistication while maintaining compatibility with two operating systems (Mac and Windows), making it cross-platform capable”.

Their investigation also found that this threat is “evolving in the ransomware landscape”.

NotLockBit From Early Days to Today’s Encryption

NotLockBit was first reported by Trend Micro on October 16, 2024. By then, the LockBit gang was out of the picture, and upcoming gangs, such as RansomHub, were in full swing.

So far, several malware samples of NotLockBit have been found. It appears that developers are perfecting the malware through different iterations and versions, probably looking for increased stealth and evasion, as these samples are, at the time of writing, flagged by half of all security vendors listed in VirusTotal scans, as seen in the image below.

NotLockBit VirusTotal scan: The sample is flagged by about half of security vendors
NotLockBit VirusTotal scan: The sample is flagged by about half of security vendors. (Qualys)

Like all modern ransomware, NotLockBit is written in Go programming for fast development cycles, cross-platform compatibility, and robust performance.

Qualys’s’ full analysis of the samples (corresponding hashes below) is exhaustive, clear, and a must-read for all ransomware cybersecurity experts.

Qualys NotLockBit analyzed hashes: 

  • e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
  • 14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31

From Breach to Encryption Keys

The first thing NotLockBit ransomware does on a macOS environment is gather critical system information. This includes data from the host’s hardware, software, and network configuration. Network configuration data can be used later for enterprises’ infrastructure movement.

This ransomware then generates and encrypts the Master Key.

“The process begins by generating a random value, which serves as the foundation for encryption,” the Qualys report reads.

“This random value is then encrypted using the RSA details (exponent and modulus) extracted from the PEM file. The RSA encryption algorithm utilizes these components to securely encrypt the random value, ensuring that only the corresponding private key can decrypt it.”

Qualys researchers shared what the encryption text file that NotLockBit malware sample they analyzed writes looks like
Qualys researchers shared what the encryption text file that NotLockBit malware sample they analyzed writes looks like. (Qualys)

Is NotLockBit on Amazon Web Services?

To exfiltrate data (a technical word for stealing), NotLockBit transfers all encrypted files to a storage repository under the attacker’s control.

“This repository is typically configured as an Amazon S3 bucket or another form of remote storage server,” Qualys said.

Amazon is aware of NotLockBit operations leveraging Amazon Web Services (AWS).

In October 2024, Amazon was contacted by Trend Micro for a response to their NotLockBit investigation.

Amazon told Trend Micro that “ransomware is not specific to any computing environment in particular” and “the activity identified violates the AWS acceptable use policy”. Further than that, the company has issued no comments.

In ransomware, data exfiltration means that even if the victim pays the ransom, the attackers will still have a copy of the data. This data can then be used for double or triple extortions, leaked, or sold over and over again on the dark web.

Authorities recommend companies not to pay ransom to cybercriminals as it is no guarantee of safety.

NotLockBit is also coded to search specifically for personal or company data by filtering file types.

Finally, NotLockBit takes over the victims’ screen with a message that impersonates LockBit, as seen in some of our sample images.

For its last trick, NotLockBit self-deletes itself to erase its digital footprints through unlink activity.

Qualys researchers found evidence that this new ransomware is being improved for evasion and stealth. Qualys said:

“Across analyzed samples, differences in binary data were observed: some samples retained visible function names, while others used obfuscated names, and a few were fully stripped.

“This variation highlights differing levels of obfuscation and compilation techniques across samples. In one of the samples, exfiltration was entirely omitted, leaving only encryption functionality, demonstrating a targeted and distinct approach.”

Dark Web Chatter: Is NotLockBit LockBit 4.0?

As mentioned, NotLockBit breaks the mold for ransomware-as-a-service malware. There is little to no mention of it, and no one seems to be distributing the malware — at least not at scale.

Copycat Lockbit ransomware malware versions have been identified in the wild — increasingly more often as Lockbit lost its dark web ransomware crown. However, even when dismantled LockBit’s presence in the dark web is far from removed.

RansomHub offers its hacking and ransomware services for $1,000 openly on Telegram
RansomHub offers its hacking and ransomware services for $1,000 openly on Telegram. (Screenshot / Techopedia)

Techopedia found that the emerging RaaS group RansomHub recently reshared a post from LockBit on December 19, 2024. The post claimed LockBit was offering ‘something new’ that could likely be LockBit 4.0.

LockBit 4.0 is believed to be the most powerful version of the now allegedly defunct LockBit group. However, besides rumors and speculations, there is no public evidence it exists.

LockBit appears to be still sharing unknown resources, which some claim are LockBit 4.0.
LockBit appears to be still sharing unknown resources, which some claim are LockBit 4.0. (Screenshot / Techopedia)

It is not common for ransomware gangs to operate macOS breaching malware. However, RansomHub seems to have a history with these techniques. Cybersecurity experts believe RansomHub is a modified variant of the Knight ransomware, also known as Cyclops.

Cyclops ransomware, rebranded as Knight, is a multi-platform malware that targets Windows, macOS, and Linux operating systems. RansomHub, believed to be the most prolific ransomware threat today, has attracted the attention of the FBI and CISA for months.

Techopedia spoke to Amir Sadon, Director of IR Research at the security incident response company Sygnia, about how LockBit’s case affects the ransomware industry.

“Since LockBit’s disappearance earlier this year, their absence has left a substantial gap, allowing new groups to emerge and established players, like RansomHub, to solidify their dominance in the ransomware industry.”

“LockBit 4.0 is expected to significantly influence the ransomware ecosystem, particularly within Ransomware-as-a-Service (RaaS) syndicates,” Sadon said.

The Bottom Line

Is NotLockBit connected to the LockBit operation? Is an emerging group like RansomHub involved in the development and distribution of NotLockBit?

Why has no group claimed attribution for NotLockBit nor any attacks been identified despite numerous malware samples found? Could NotLockBit simply be a copycat operator?

All these questions are, to date, unanswered. This makes NotLockBit a dangerous dark web mystery.

NotLockbit shows us the future of ransomware — a trend that has been on the rise: breaching Apple devices and macOS.

If NotLockBit is distributed under RaaS models, this ransomware has the potential to cause more damage than LockBit itself.

While those behind this malware have not perfected its stealth, ransomware that can breach different operating systems is coming fast.

Advertisements

Related Reading

Related Terms

Advertisements
Ray Fernandez
Senior Technology Journalist
Ray Fernandez
Senior Technology Journalist

Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.