NotLockBit, a recently identified ransomware family that encrypts macOS and Windows systems, has mimicked some tactics of the LockBit gang, while also adding new features.
The ransomware demonstrates advanced capabilities, such as targeted file encryption, data exfiltration, and self-deletion mechanisms.
It utilizes the go-sysinfo module to gather detailed data about the victim's system and decodes public key using the widely used method, Privacy Enhanced Mail.
The malware generates a random value and encrypts it using RSA details extracted from the PEM file. It writes collected information to a text file, and exfiltrates data to attackers to ensure continued access to sensitive information.
NotLockBit utilizes AES-based encryption and uses RSA to secure its encryption process, and programs to focus on specific file types based on their extensions.
After encryption, the ransomware alters the infected system's desktop wallpaper by replacing it with a custom LockBit ransom banner and ultimately deletes the shadow copy through self-removal mechanism designed to eliminate traces from the victim's system.
This finding highlights the need for proactive endpoint detection, threat hunting, and incident response capabilities to combat such advanced ransomware attacks effectively.