NotLockBit: A Deep Dive Into the New Ransomware Threat

Dec. 19, 2024, 1:39 p.m.

Description

NotLockBit is an emerging ransomware family that mimics LockBit's behavior while targeting both macOS and Windows systems. Distributed as an x86_64 golang binary, it showcases advanced capabilities including targeted file encryption, data exfiltration, and self-deletion mechanisms. The malware gathers system information, generates and encrypts a master key, and writes collected data to text files. It utilizes AWS credentials for data exfiltration, encrypts specific file types while avoiding certain directories, and employs AES encryption. NotLockBit alters the desktop wallpaper and performs self-deletion after execution. The analysis reveals variations in obfuscation and compilation techniques across samples, highlighting its sophistication and evolving nature in the ransomware landscape.

External References

https://blog.qualys.com/vulnerabilities-threat-research/2024/12/18/notlockbit-a-deep-dive-into-the-new-ransomware-threat
https://otx.alienvault.com/pulse/6764183d53756fe99f90ace4
Tags
ransomware
encryption
golang
cross-platform
data-exfiltration
2024-12-19
notlockbit
aws-abuse
self-deletion

Date

  • Created: Dec. 19, 2024, 12:57 p.m.
  • Published: Dec. 19, 2024, 12:57 p.m.
  • Modified: Dec. 19, 2024, 1:39 p.m.

Indicators

  • e02b3309c0b6a774a4d940369633e395b4c374dc3e6aaa64410cc33b0dcd67ac
  • aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec
  • a28af0684456c26da769a2e0d29c5a726e86388901370ddf15bd3b355597d564
  • 2e62c9850f331799f1e4893698295d0b069ab04529a6db1bfc4f193fe6aded2c
  • 14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
Download all indicators here!

Attack Patterns

  • NotLockBit
  • NotLockBit