The ransomware epidemic may have been stopped by recent law enforcement operations that disrupted attack infrastructure, led to the arrest of cybercriminals, and broke up some threat groups, but this would be wrong as well. A recent study on the cross-platform, self-deleting NotLockBit ransomware assault has confirmed that the threat is not only still present but is also evolving. Here's what Windows and macOS users should know.
Pranita Pradeep Kulkarni, a senior engineer of threat research at Qualys, has revealed in a recently published technical deep dive into the NotLockBit ransomware assault family that the threat is not only cross-platform but also sophisticated in using a self-deleting mechanism to mask attacks.
The NotLockBit malware is named after the fact that it "actively mimics the behaviour and tactics of the well-known LockBit ransomware," according to Kulkarni. It targets macOS and Windows systems and illustrates "a high degree of sophistication while maintaining compatibility with both operating systems, highlighting its cross-platform capabilities." The latest investigation revealed that the current evolution of the NotLockBit ransomware has many advanced capabilities: targeted file encryption, data exfiltration and self-deletion mechanisms.
NotLockBit encrypts files after stealing data and moving it to storage under the attacker's control so that it can be exploited for extortion, just like the majority of ransomware currently. Depending on how sensitive it is, such data can be sold to the highest criminal bidder or held hostage in exchange for publication on a leaked website.
However, NotLockBit can delete itself to conceal any proof of the cyberattack, unlike other ransomware. According to Kulkarni, "the malware uses unlink activity to remove itself after it has finished operating; this is a self-removal mechanism designed to delete any evidence of its existence from the victim's system."
Files with extensions like.csv, .doc, .png, .jpg, .pdf, .txt, .vmdk, .vmsd, and .vbox are the main targets of NotLockBit, according to samples examined by Qualys, "because they frequently represent valuable or sensitive data typically found in personal or professional environments.”
The investigation into NotLockBit ransomware exposed an increasingly sophisticated threat, the report concluded, and one that the researcher said, continues to evolve in order to maximize its impact.
“It employs a combination of targeted encryption strategies, deceptive methods like mimicking well-known ransomware families,” Kulkarni concluded, “self-deletion mechanisms to minimize forensic traces.”