A naukri.com initiative
Sentinelone
3w
426
Image Credit: Sentinelone
macOS NotLockBit | Evolving Ransomware Samples Suggest a Threat Actor Sharpening Its Tools
- Researchers at Trend Micro have discovered the first macOS ransomware sample with credible file locking capabilities, which masquerades as LockBit ransomware on encrypting a user’s files.
- The ransomware is written in Go and is distributed as an x86_64 binary, meaning it will only run on Intel Macs or Apple silicon Macs.
- NotLockBit’s public key is used to encrypt a randomly generated master key, which in turn is used in the subsequent file encryption process and written to a README.txt file deposited in each folder containing encrypted files.
- The malware attempts to use osascript to change the Desktop wallpaper and display a LockBit 2.0 banner.
- Prior to the file locking operation, the malware attempts to exfiltrate the user’s data to a remote server via AWS S3 cloud storage.
- SentinelOne has discovered a set of related Mach-O samples and provides indicators of compromise for this set of samples and discusses how they have changed across versions.
- The samples can be split into three groups and are entirely stripped of symbolic information.
- SentinelOne customers are protected from all known variants of macOS.NotLockBit through a multi-engine platform that combines static and dynamic AI, ensuring that the latest threats are stopped pre-execution and on-execution.
- Ransomware on macOS remains a small and still unlikely threat, but it is apparent that threat actors have understood that the double extortion method that works so well on other platforms is equally viable on Apple’s desktop platform.
- For now, the threat actor’s AWS accounts have been removed and there are no known victims or distribution methods in the wild.
Read Full Article
25 Likes
For uninterrupted reading, download the app