While ransomware on macOS remains a small and unlikely threat, SentinelOne researchers believe that a new malware family dubbed "macOS.NotLockBit" has made advancements that could emerge as a credible threat to Apple computers.
SentinelOne researchers said in an Oct. 22 blog post that ransomware threats for Macintosh computers were mostly in the proof-of-concept (PoC) stage and largely incapable of succeeding in corrupting a system.
SentinelOne gave it the name macOS.NotLockBit because it’s from a different threat actor that's apparently appropriating the LockBit name, and earlier research such as the blog posted by TrendMicro last week did not give it a specific name. Interestingly enough, the SentinelOne researchers noted that LockBit was involved in one of the more credible previous ransomware attempts on macOS to date.
“As stated in our earlier research, previous attempts at ransomware on macOS were never really genuine threats to users, and there are no recorded cases of any organizations paying out a ransom to a threat actor to unlock or retrieve their own files,” explained Phil Stokes, senior researcher at SentinelLabs.
Stokes said there are at least four notable points about this threat:
- Fully developed infrastructure: Unlike other PoCs, this malware was backed by a fully developed infrastructure for exfiltrating and storing victim data, a necessary step in any large-scale campaign where attackers expect to have to deal with large amounts of data from multiple victims. This suggests the attacker has serious ambitions.
- Asymmetric encryption: The malware has a functional asymmetric encryption scheme (unlike say,
EvilQuest/ThiefQuest, which used an amateurish symmetric encryption making it possible to decrypt files without aid from the attacker), meaning that it would be impossible to decrypt locked files without the attacker’s aid. - Sophisticated diversion techniques: The malware developer used a LockBit “wallpaper” in an attempt to either (or both) raise their own credibility to increase chances of getting a payout and/or misattribute attacks to known groups as a means of diverting attention from law enforcement.
- Indicators of ongoing development: The threat seems to have been discovered before being distributed in an active campaign. However, since the most recent samples SentinelOne discovered date back to May 2024, it’s a reasonable assumption that further work has been done in the interim, and it may not be long before we see the next stage of development from this threat actor
Past ransomware attempts on macOS
Jason Soroko, senior fellow at Sectigo, pointed out that macOS-focused ransomware such as MacRansom (2017) and EvilQuest (2020) have actively infected macOS systems in the past. NotLockBit encrypts files using asymmetric encryption, which means that there is much less possibility to decrypt data without the private key.
Soroko said the encryption of the master key used to encrypt is based on a RSA 2048 public key which makes it particularly robust. The ransomware then exfiltrates data to an Amazon S3 bucket for double extortion.
“NotLockBit seems to be designed to take advantage of people’s willingness to sometimes click through warning messages, specifically thrown by macOS transparency, consent, and control (TCC) framework,” said Soroko. “TCC in macOS is designed to enhance security, but it’s not perfect, especially when malware is capable of trusted process abuse where attackers leverage legitimate system processes or applications that already have the necessary permissions to bypass macOS TCC. However, in this case, attackers are mostly relying on people ignoring warning messages.”
John Bambenek, president at Bambenek Consulting, added that ransomware for macOS has been somewhat rare and usually confined to distribution via Torrent sites. Bambenek said this family is what's considered by researchers “modern” ransomware that an attacker could use to lock up a Mac.
“That being said, researchers haven’t seen this in the wild in terms of actually attacking victims and would need some distribution mechanism to infect Macs in an organization as a whole,” said Bambenek. “For now, the only thing teams should be aware of is that the sense of invulnerability they may have to ransomware due to using macOS is now unfounded and they should ensure strong EDR is loaded on corporate devices.”
