The Interlock ransomware, first identified in September 2024, has emerged as a significant cybersecurity threat, prompting a joint alert from US agencies including CISA, FBI, HHS, and MS-ISAC. This sophisticated ransomware targets both Windows and Linux systems, with a particular focus on encrypting virtual machines. Its operations have primarily impacted critical infrastructure, businesses, and various other organizations across North America and Europe, raising serious concerns about data integrity and operational continuity. The initial compromise typically occurs through insidious drive-by download attacks, making it a pervasive and challenging threat to mitigate.
The operators behind Interlock ransomware have demonstrated a flexible and evolving approach to initial access. Initially, they compromised legitimate websites and leveraged the “ClickFix” social engineering technique, luring victims into executing malicious code. More recently, they have shifted to “FileFix” attacks, indicating an adaptive strategy to bypass conventional security measures. Prior to these methods, the group was observed using deceptive tactics such as fake Google Chrome or Microsoft Edge browser updates to deploy their malicious code. These varied initial access vectors highlight the need for robust user education and advanced endpoint protection to prevent successful intrusions.
Once initial access is gained, Interlock’s operators focus on establishing persistence and escalating privileges within the victim’s network. They have been seen deploying Remote Access Trojans (RATs) to drop files into the Windows Startup folder and modifying Windows Registry keys to maintain a foothold. Following this, the attackers execute PowerShell commands to deploy credential stealers and keyloggers, including known information stealers like Lumma Stealer and Berserk Stealer, to harvest sensitive authentication data. This multi-stage approach allows them to gain comprehensive control over compromised systems and access valuable network resources.
For lateral movement, the ransomware group employs a combination of compromised credentials and legitimate remote desktop (RDP) tools.
They are known to utilize widely available software such as AnyDesk and PuTTY to navigate through the victim’s network. A critical step in their attack chain involves compromising domain administrator accounts, which grants them elevated privileges and enables widespread access. Furthermore, the hackers have been observed accessing victims’ Microsoft Azure Storage accounts and exfiltrating data to Azure storage blobs using various file transfer tools, including WinSCP, before proceeding with the final encryption phase.
Interlock actors utilize a “double extortion” model, a tactic increasingly common among ransomware groups.
This involves not only encrypting the victim’s systems but also exfiltrating sensitive data, which is then threatened to be leaked if the ransom is not paid. The ransom notes themselves are minimalistic, omitting payment details and instead instructing victims to contact the attackers via a Tor-based website. Upon contact, the hackers demand ransom payments in Bitcoin, leveraging the threat of data leakage to pressure victims into compliance. While currently focused on encrypting virtual machines, the joint advisory warns that Interlock’s operations could expand to encompass hosts, workstations, and physical servers in the future, underscoring the dynamic nature of this threat. Since its emergence, Interlock has claimed responsibility for at least three high-profile intrusions, affecting organizations such as Texas Tech University, National Presto Industries, and Kettering Health, demonstrating its capacity for significant impact.
Reference:
