Threat Research

#StopRansomware: Interlock

CISA
#StopRansomware: Interlock

Interlock ransomware, first observed in September 2024, targets businesses and critical infrastructure across North America and Europe using a double extortion model that encrypts victim data and threatens to leak exfiltrated information. The actors use uncommon entry methods such as drive-by downloads and the ClickFix social engineering technique, employing various malware including RATs and credential stealers for lateral movement and persistence. #Interlock #ClickFix #AzureStorageExplorer

Keypoints

  • Interlock ransomware has targeted diverse sectors in North America and Europe since September 2024, focusing on virtual machines and using a financially motivated double extortion model.
  • Initial access is often gained through drive-by downloads from compromised legitimate websites and via the ClickFix social engineering technique involving fake CAPTCHAs.
  • Actors establish persistence by dropping RATs that execute on system startup and by modifying Windows registry keys disguised as legitimate processes.
  • Reconnaissance is performed using PowerShell scripts to gather extensive system and network information.
  • Credential stealers (e.g., cht.exe) and keyloggers (e.g., klg.dll) are deployed to harvest user credentials, enabling lateral movement via RDP, AnyDesk, and PuTTY.
  • Data exfiltration is performed using tools like Azure Storage Explorer, AzCopy, and WinSCP before encrypting files using AES and RSA encryption methods.
  • Mitigations include DNS filtering, robust endpoint detection and response (EDR), network segmentation, multi-factor authentication (MFA), timely patching, and offline encrypted backups.

MITRE Techniques

  • [T1189] Drive-By Compromise – Used by Interlock actors to gain initial access by compromising legitimate websites and disguising payloads as fake browser or security software updates (“Interlock actors obtain initial access by compromising a legitimate website…”).
  • [T1204.004] User Execution: Malicious Copy and Paste – Employed in the ClickFix technique to trick users into executing a malicious Base64-encoded PowerShell process (“users are tricked into clicking a fake CAPTCHA…”).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Used for executing scripts to drop files into startup folders, modify registry keys, and perform reconnaissance commands (“PowerShell scripts execute commands to facilitate reconnaissance”).
  • [T1547.001] Boot or Logon Autostart Execution – Persistence established by adding files to startup folder and creating registry run keys disguised as Chrome Updater (“Interlock actors establish persistence by adding a file into a Windows StartUp folder…”).
  • [T1657] Financial Theft – Double extortion model where actors encrypt and threaten to publish victim data unless ransom is paid (“Interlock actors use a double-extortion model…”).
  • [TA0006] Credential Access – Deployment of credential stealers and keyloggers to harvest user credentials (“Interlock actors download credential stealer cht.exe and keylogger…”).
  • [T1021.001] Remote Services: Remote Desktop Protocol – Used for lateral movement between systems with compromised credentials (“Interlock actors use RDP and valid credentials to move laterally…”).
  • [T1567.002] Exfiltration Over Web Service – Data exfiltration via Azure Storage blobs using AzCopy (“Interlock actors exfiltrate data by uploading it to the Azure storage blob”).
  • [TA0011] Command and Control – Actors use Cobalt Strike, SystemBC, and RAT tools for remote control and execution (“Interlock actors use applications Cobalt Strike and SystemBC for C2”).
  • [T1036.005] Masquerading – Malicious files and registry keys disguised as legitimate resources (e.g., “Chrome Updater”, conhost.exe, conhost.txt) (“Interlock actors disguise a malicious run key value by naming it ‘Chrome Updater’”).
  • [T1070.004] Indicator Removal: File Deletion – Use of remove() function to delete encryption binaries for defense evasion (“DLL binary tmp41.wasd uses the remove() function to delete their encryption binary”).

Indicators of Compromise

  • [File Hashes] Malicious and tool-related files – Examples include fba4883bf4f73aa48a957d894051d78e0085ecc3170b1ff50e61ccec6aeee2cd (1.ps1), 1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069 (AnyDesk.exe), FAFCD5404A992850FFCFFEE46221F9B2FF716006AECB637B80E5CD5AA112D79C (cht), and A4F0B68052E8DA9A80B70407A92400C6A5DEF19717E0240AC608612476E1137E (klg.dll).
  • [File Names] Ransom note and executable indicators – !__README__!.txt (ransom note), conhost.exe (encryption binary), tmp41.wasd (malicious DLL), cht.exe (credential stealer), klg.dll (keylogger), and StorageExplorer.exe (tool for cloud storage access).

Read more: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint