NotLockBit ransomware is a sophisticated and dangerous cyber threat that emerged in late 2024, known for its ability to target both Windows and macOS systems. It mimics the behavior of the notorious LockBit ransomware but introduces unique features that make it particularly menacing.
Here’s a detailed breakdown of how NotLockBit operates and what sets it apart:
Key Features of NotLockBit
1. Targeted File Encryption
NotLockBit employs robust encryption algorithms such as Advanced Encryption Standard (AES) and Rivest-Shamir-Adleman (RSA) to encrypt victims’ files. This dual encryption ensures that decrypting the files without the attacker’s key is virtually impossible, adding a layer of complexity to the ransomware.
2. Data Exfiltration
Unlike some traditional ransomware, NotLockBit goes a step further by exfiltrating data before encryption. It transfers stolen data to attacker-controlled repositories, including popular cloud storage services like Amazon S3 buckets. This capability enables attackers to leverage double extortion tactics, threatening to release the data publicly if the ransom is not paid.
3. Self-Deletion Mechanisms
To maximize its impact and hinder recovery efforts, NotLockBit includes self-deletion mechanisms. After encrypting the files, it deletes shadow copies and its own execution binary from the system. This action eliminates potential recovery options, forcing victims to consider paying the ransom.
4. Cross-Platform Compatibility
Written in the Go programming language, NotLockBit maintains cross-platform compatibility, allowing it to target both Windows and macOS systems effectively. This capability broadens its potential victim base and poses a significant threat to users across different operating systems.
5. Advanced Reconnaissance
Before launching its encryption process, NotLockBit conducts extensive reconnaissance to gather system information. It uses tools like the go-sysinfo module to collect details about the target system, enabling it to tailor its attack and avoid detection by security measures.
How NotLockBit Operates
1. Initialization and Reconnaissance
Upon execution, NotLockBit begins by gathering critical system information. It identifies the operating system, network configurations, and connected devices. This reconnaissance phase allows the ransomware to customize its attack strategy based on the specific environment.
2. Encryption Process
Once the reconnaissance is complete, NotLockBit proceeds with the encryption process. It uses AES and RSA encryption algorithms to encrypt files, renaming them with a unique identifier followed by an .abcd extension. This process ensures that the encrypted files cannot be easily decrypted without the attacker’s key.
3. Data Exfiltration
Concurrently, NotLockBit exfiltrates sensitive data to attacker-controlled storage locations. By uploading the data to cloud services or remote servers, the attackers can threaten to leak the data publicly if the ransom is not paid, adding pressure on the victims to comply with their demands.
4. Defacement and Self-Deletion
After encrypting the files and exfiltrating data, NotLockBit defaces the victim’s system by changing the desktop wallpaper to display a ransom note. This note typically includes instructions on how to pay the ransom and decrypt the files. Finally, NotLockBit deletes its traces, including shadow copies and its own execution binary, to prevent recovery efforts and ensure the victim has no choice but to consider paying the ransom.
Mitigation and Protection
Given the advanced capabilities of NotLockBit, it is crucial to implement robust security measures to protect against this ransomware. Here are some recommendations:
- Regular Backups: Maintain regular backups of critical data and store them in offline or secure cloud locations to ensure recovery in case of an attack.
- Security Software: Use reputable security software with real-time protection and advanced threat detection to identify and block ransomware activities.
- Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security for accessing sensitive systems and data.
- Network Segmentation: Segment the network to limit the spread of ransomware and contain potential damage.
- User Training: Educate users about phishing attacks and safe computing practices to reduce the risk of ransomware infiltration through social engineering tactics.
By staying vigilant and following these best practices, organizations and individuals can significantly reduce the risk of falling victim to NotLockBit ransomware and other similar threats.
Indicators Of Compromise
- 14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
- 2e62c9850f331799f1e4893698295d0b069ab04529a6db1bfc4f193fe6aded2c
- a28af0684456c26da769a2e0d29c5a726e86388901370ddf15bd3b355597d564
- aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec
- e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
For more details, refer to the blog
Nice post Merry Christmas 🎅