Introduction
Interlock ransomware [1] [3] [4] [5], which surfaced in late September 2024, is known for its sophisticated attacks targeting various sectors, including healthcare [1] [4], technology [1] [4], government [1] [3] [4] [5], and manufacturing [1] [4] [5]. It employs advanced techn [4]iques such as big-game hunting and double extortion, making it a significant threat in the cybersecurity landscape.
Description
Interlock ransomware first emerged in late September 2024 [4] [6], engaging in big-game hunting and double extortion attacks across various sectors [1] [3] [4], including healthcare [1] [4], technology [1] [4], government in the US [1] [4], and manufacturing in Europe [1] [4]. One of the initial claimed attacks occurred on September 30, 2024, when Texas Tech University Health Sciences Center was targeted [2] [6], leading to the cancellation of classes across multiple locations [2], including Amarillo [2], the Permian Basin [2], Abilene [2], Dallas [2], and El Paso [2]. This group is recognized for its sophisticated attacks on both Windows and FreeBSD operating systems [6], having developed specific encryptors for these platforms, which is relatively uncommon among ransomware groups [6]. Notable victims of Interlock include Wayne County in Michigan and the Italian manufacturer Smeg Group.
Interlock employs an opportunistic approach, utilizing a sophisticated delivery chain that includes a Remote Access Trojan (RAT) disguised as a browser updater [3], PowerShell scripts [1] [3] [4], credential stealers [3], and keyloggers [3]. The group operates a data leak site called “Worldwide Secrets Blog,” where they disclose victims’ data and provide chat support [1], reflecting a systematic strategy to exploit cybersecurity vulnerabilities [5]. They claim to exploit unaddressed vulnerabilities in organizations’ infrastructure [1] [3] [4], framing their actions as a means to hold companies accountable for inadequate cybersecurity measures while also pursuing financial gain.
The ransomware is deployed as “conhost.exe” and encrypts files with the “.Interlock” extension [1], dropping a ransom note titled “!README!.txt” in each affected folder [1]. This note warns victims against recovery attempts and demands a response within 96 hours [1], threatening to release data and notify media outlets if the deadline is not met. Victims can also contact the operator via an onion site using a unique company ID [1].
In a recent attack [4], the attacker maintained a presence in the victim’s environment for approximately 17 days [4], from initial compromise to the execution of the Interlock ransomware [4]. Initial access was gained through a fake Google Chrome browser updater executable, “upd_2327991.exe,” which the victim downloaded from a compromised legitimate news website [4]. This fake browser updater functions as a RAT that executes an embedded PowerShell script upon download [4]. The script downloads a legitimate Chrome setup executable, “ChromeSetup.exe,” and establishes persistence by creating a Windows shortcut in the StartUp folder named “fahhs.lnk.”
The RAT collects system information using the command “cmd.exe /c systeminfo,” encrypts the data in memory, and establishes a secure connection to a command and control (C2) server hidden behind a Cloudflare domain [4]. Interlock evades detection by disabling Endpoint Detection and Response (EDR) and clearing event logs [5]. Lateral movement within networks is primarily conducted through Remote Desktop Protocol (RDP) and other remote access tools [5]. Interlock ransomware has both Windows and Linux variants [1], utilizing a 64-bit executable format [1]. The Windows variant employs Cipher Block Chaining (CBC) encryption [1], while the Linux variant may use either CBC or RSA encryption [1], specifically targeting VMware ESXi servers and virtual machines [2]. The group avoids encrypting critical system folders and specific file extensions to prevent system instability [5]. Interlock establishes persistence through a scheduled task and can delete its binary post-encryption to obscure evidence [1].
There are notable overlaps in tactics [1], techniques [1] [5], and procedures (TTPs) between Interlock and Rhysida ransomware [1], suggesting a possible connection [1]. Similarities include exclusion lists [1], the use of the “conhost.exe” filename [1], and shared tools like PowerShell scripts and Azure Storage Explorer for data exfiltration. Both groups present ransom notes that frame their actions as helpful [1], contrasting with more aggressive tactics employed by other ransomware groups [1], reflecting a trend of operational collaboration among ransomware actors in the cyber threat landscape [5].
Conclusion
The emergence of Interlock ransomware underscores the evolving threat landscape, where attackers leverage sophisticated techniques to exploit vulnerabilities across various sectors. Organizations must prioritize robust cybersecurity measures, including regular vulnerability assessments and employee training, to mitigate such threats. As ransomware tactics continue to evolve, collaboration between cybersecurity professionals and law enforcement agencies will be crucial in combating these threats and safeguarding critical infrastructure.
References
[1] https://blog.talosintelligence.com/emerging-interlock-ransomware/
[2] https://heimdalsecurity.com/blog/interlock-ransomware-freebsd-servers/
[3] https://blog.netmanageit.com/unwrapping-the-emerging-interlock-ransomware-attack/
[4] https://news.backbox.org/2024/11/07/unwrapping-the-emerging-interlock-ransomware-attack/
[5] https://www.infosecurity-magazine.com/news/interlock-ransomware-us-healthcare/
[6] https://www.halcyon.ai/blog/halcyon-threat-insights-010-november-2024-ransomware-report