Category | Details |
---|---|
Threat Actors | NotLockBit ransomware operators. |
Campaign Overview | NotLockBit mimics LockBit ransomware; targets macOS and Windows systems with cross-platform functionality, focusing on encryption, exfiltration, and self-deletion. |
Target Regions/Victims | Global targeting, with emphasis on macOS and Windows users. |
Methodology | File encryption, data exfiltration, self-deletion, phishing for initial access, use of AWS S3 for data storage, and exploitation of public-facing apps. |
Product Targeted | Personal and professional data, virtual machine files, and AWS credentials. |
Malware Reference | NotLockBit ransomware, written in Go programming language. |
Tools Used | AWS SDK for Go v2 library, osascript command for macOS, and encryption mechanisms (AES and RSA). |
Vulnerabilities Exploited | Exploit public-facing applications (MITRE T1190), phishing (MITRE T1566). |
TTPs | Reconnaissance, data encryption, exfiltration, changing desktop wallpaper, self-deletion, mimicking known ransomware families (LockBit). |
Attribution | Analyzed by Qualys and identified as a distinct strain mimicking LockBit’s tactics and appearance. |
Recommendations | Enhance endpoint detection, update and patch systems, educate users on phishing threats, monitor AWS credentials, and implement proactive incident response. |
Source | Qualys |
Read full article: https://blog.qualys.com/vulnerabilities-threat-research/2024/12/18/notlockbit-a-deep-dive-into-the-new-ransomware-threat
The above summary has been generated by an AI language model
Leave a Reply