Keypoints
- macOS.NotLockBit is a Go-based Mach-O x86_64 binary that runs only on Intel Macs or Apple silicon Macs under Rosetta.
- The malware performs system reconnaissance, encrypts files using an embedded public key (asymmetric encryption), and appends a .abcd extension while dropping a README.txt ransom note.
- Before or during encryption it attempts to exfiltrate data to AWS S3 using hardcoded credentials and creating attacker buckets (now defunct).
- Samples show active development: early test build lacked exfil/wallpaper features, later builds added AWS exfiltration, wallpaper changes, and attempts at function-name obfuscation.
- No confirmed distribution method or victims have been reported; Trend Micro and SentinelOne discovered multiple related samples on VirusTotal.
- Apple TCC protections prompt consent dialogs during directory traversal and System Events control, but bypasses are expected to evolve in future versions.
- All known variants are detected and blocked by SentinelOne Singularity.
MITRE Techniques
- [T1486] Data Encrypted for Impact – The malware encrypts files using an embedded public key and a randomly generated master key, making victim files inaccessible. [‘Encrypts files on the victim’s machine, making them inaccessible.’]
- [T1041] Exfiltration Over Command and Control Channel – NotLockBit exfiltrates user data to a remote server by abusing AWS S3 with credentials embedded in the binary. [‘Exfiltrates data to a remote server using AWS S3.’]
- [T1027] Obfuscated Files or Information – Developers applied some obfuscation to function names in intermediate samples to hinder static analysis. [‘Attempts to obfuscate function names in some samples.’]
Indicators of Compromise
- [File Hashes] Mach-O x86_64 samples – 23f3b070aad47f72ddf2d148f455cce2266901fd, 2e8cadad5ab90651ae36fb09fb386ffd91bd0d41, and 3 more hashes
- [File Name] Ransom note – README.txt dropped into every folder containing encrypted files
- [File Extension] Encrypted files indicator – .abcd appended to encrypted files
- [File Path] System information collection – /System/Library/CoreServices/SystemVersion.plist (reads product name, version, build)
- [Cloud Storage] Data exfiltration channel – hardcoded AWS S3 credentials and attacker-created S3 buckets (now defunct)
- [Binary Architecture] Execution constraint – x86_64 Mach-O (runs on Intel Macs or Apple silicon with Rosetta)
- [Command/Tool] User interface manipulation – osascript / System Events.app used to set desktop wallpaper to a LockBit-styled banner
Researchers initially reported a single macOS sample capable of file locking and data theft that impersonated LockBit after encrypting user files; further investigation by SentinelOne revealed a small family of related Mach-O binaries that demonstrate the malware’s rapid evolution. The threat, now labeled macOS.NotLockBit, is written in Go and compiled as x86_64, so it executes only on Intel-based Macs or Apple silicon Macs running Rosetta. On launch the binary gathers system information by reading /System/Library/CoreServices/SystemVersion.plist and querying sysctl (hw.machine and kern.boottime) via Elastic’s Go sysinfo Host functions to collect product, version, architecture, and uptime details.
Static analysis exposes an embedded public key inside the executable, enabling asymmetric encryption: the binary generates a random master key, encrypts that master key with the embedded public key, and then uses the master key to encrypt files. Encrypted files receive a .abcd extension and the malware deposits a README.txt ransom note in each folder where files were encrypted. In versions after the initial sample, the malware tries to change the victim’s desktop wallpaper using osascript and System Events to display a LockBit 2.0-style banner, though LockBit itself has long moved to v3.0 and key actors have been arrested, making it likely this is an impersonation rather than activity by the real LockBit group.
The actor also built in a data-exfiltration step that abuses Amazon S3. Several samples include hardcoded AWS credentials which the malware uses to create buckets on the attacker’s S3 account and upload victim files to those buckets; Trend Micro notes those attacker accounts are now defunct. Earlier samples lacked the AWS-related strings and wallpaper functionality, suggesting NotLockBit was developed iteratively and tested at each stage. SentinelOne located five Mach-O samples on VirusTotal that illustrate this progression: an early 3MB test build (Sample_1) first seen on 3 January, two 8.8MB functional builds (Sample_2a and Sample_2b) uploaded 15 January, and two stripped 9.3MB builds (Sample_3a and Sample_3b) that appeared 24 May. Sample_1 appears focused on file-encryption mechanics and lacked exfiltration and wallpaper code; Sample_2b shows attempts to obfuscate function names; Sample_3 builds are stripped of symbols, require macOS Sonoma (built against macOS 14.4 SDK), and still contain AWS and wallpaper artifacts that can aid detection.
Across all observed variants the binaries are unsigned and x86_64-only. Apple’s TCC protections create user consent prompts when the malware attempts to traverse protected directories or control System Events, which currently limit but do not prevent the malware’s actions; given that TCC bypass methods are known, researchers expect future samples to attempt bypasses. Trend Micro did not identify a distribution vector, and there are no confirmed victims in the wild; SentinelOne additionally reports that their Singularity platform blocks all known macOS.NotLockBit samples using a multi-engine approach combining static and dynamic AI to stop threats both pre-execution and at runtime.
Although macOS ransomware remains relatively rare and less developed than Windows counterparts, NotLockBit demonstrates that adversaries are adapting double-extortion tactics—combining file encryption with data theft—to Apple desktops. The presence of multiple, evolving samples and the inclusion of exfiltration, obfuscation attempts, and cosmetic impersonation indicate an active development effort; with attacker S3 accounts already taken down, there are no known live campaigns yet, but the volume of work invested in these samples suggests further activity from this actor in the near term.
Files observed in the sample set include SHA1 values 23f3b070aad47f72ddf2d148f455cce2266901fd, 2e8cadad5ab90651ae36fb09fb386ffd91bd0d41, 367362b4ab6384833752b6936c296f3746859b82, 6c19a41d033ccc39bd42bc2f2e830e1f5808ca15, and c9611cba90349e78b6051c299dc8d012048a91a4; these correspond to the five Mach-O x86_64 samples used in the analysis. SentinelOne continues to monitor for new samples and development activity, and customers are protected by detection signatures and runtime defenses that stop the known variants.