Dark Web Profile: Interlock Ransomware

Dark Web Profile: Interlock Ransomware

Interlock is a fast-evolving ransomware group active since late 2024 that uses advanced social engineering (ClickFix and FileFix) to trick users into running malicious PowerShell commands, conducts data theft before encryption, and publishes stolen data on its dark web site. The group targets high-value sectors (notably U.S. critical infrastructure and healthcare), uses RATs and tools like Cobalt Strike and SystemBC, and encrypts files with extensions such as .interlock. #Interlock #ClickFix

Keypoints

  • Interlock first appeared around September 2024 and targets Windows, Linux, and FreeBSD systems, appending extensions like .interlock or .1nt3rlock to encrypted files.
  • The group employs novel social engineering techniques — ClickFix (Windows Run dialog) and FileFix (File Explorer) — to get victims to paste and execute malicious PowerShell commands.
  • Initial access is frequently achieved via drive-by downloads from compromised legitimate websites and fake software/security updates.
  • Post-compromise tooling includes Interlock RAT, NodeSnake RAT, Cobalt Strike, SystemBC, AnyDesk, and credential stealers such as Lumma Stealer and Berserk Stealer for persistence and C2.
  • Attackers steal credentials and data (keyloggers writing to conhost.txt, browser credential theft), move laterally via RDP/AnyDesk/PuTTY and Kerberoasting, then exfiltrate to cloud storage (Azure blobs) using Azure Storage Explorer and AzCopy.
  • Ransom activity uses double extortion: encryption via AES/RSA, deletion of analysis artifacts (tmp41.wasd / removeme), ransom note !__README__!.txt, and publication of stolen data on the “Worldwide Secrets Blog.”

MITRE Techniques

  • [T1189 ] Drive-By Compromise – Initial access through drive-by downloads from compromised legitimate websites (‘Interlock actors gain access through drive-by downloads from compromised, legitimate websites.’).
  • [T1204.004 ] User Execution: Malicious Copy and Paste – Social engineering prompting victims to copy/paste content into Run/File Explorer to execute PowerShell (‘victims are shown a fake CAPTCHA and told to copy and paste content into the Windows Run window’).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – Execution of malicious PowerShell scripts for payload deployment, reconnaissance, and persistence (‘this action secretly runs a malicious PowerShell script, starting the infection’).
  • [T1547.001 ] Registry Run Keys / Startup Folder – Persistence via dropped files in Startup folder and Registry run keys like “Chrome Updater” (‘drops a file into the Windows Startup folder… modify the Windows Registry to add a run key named “Chrome Updater”’).
  • [T1078.002 ] Valid Accounts: Domain Accounts – Use of stolen domain accounts for privilege escalation and lateral movement (‘may also target domain administrator accounts… to increase their access rights across the network’).
  • [T1036.005 ] Masquerading – Use of fake or disguised executables (fake Chrome executable, conhost.exe) to hide malicious components (‘deploys a fake Chrome executable that acts as a remote access trojan’).
  • [T1218.011 ] Rundll32 Proxy Execution – Use of legitimate system utilities for proxy execution and defense evasion (article lists rundll32 proxy execution as a used technique).
  • [T1070.004 ] File Deletion – Deleting ransomware binaries post-encryption to hinder analysis (tmp41.wasd and removeme execution to delete the ransomware binary: ‘tmp41.wasd is executed to delete the ransomware binary’).
  • [T1003 ] Credential Dumping – Tools and actions to collect credentials from systems for lateral movement (‘download tools like a credential stealer (cht.exe) … gather usernames, passwords’).
  • [T1555.003 ] Credentials from Web Browsers – Theft of browser-stored credentials using info stealers and browser data collection (‘These tools gather usernames, passwords, and browser data’).
  • [T1056 ] Input Capture – Use of keyloggers and input-capture tools to record user input and credentials (‘a keylogger (klg.dll)… saves keystrokes into a file named conhost.txt’).
  • [T1056.001 ] Keylogging – Specific deployment of keylogger components to capture keystrokes (‘the keylogger saves keystrokes into a file named conhost.txt’).
  • [T1558.003 ] Kerberoasting – Possible use of Kerberoasting to target domain admin credentials (‘They may also target domain administrator accounts, possibly using Kerberoasting attacks’).
  • [T1033 ] System Owner/User Discovery – Enumerating current user and system owner as part of reconnaissance (‘checking the current user, listing services and tasks, viewing system info’).
  • [T1082 ] System Information Discovery – Gathering system information via scripts and PowerShell commands (‘viewing system info’).
  • [T1007 ] System Service Discovery – Listing system services to map running components (‘listing services and tasks’).
  • [T1016 ] Network Configuration Discovery – Network reconnaissance using commands like arp -a to identify other hosts (‘They also run arp -a to identify other machines on the network’).
  • [T1078 ] Valid Accounts – Use of valid credentials acquired from stealers for lateral movement and persistence (‘With stolen credentials, Interlock moves laterally using Remote Desktop Protocol (RDP), AnyDesk, or PuTTY’).
  • [T1021.001 ] Remote Desktop Protocol (RDP) – Lateral movement using RDP sessions to access other machines (‘moves laterally using Remote Desktop Protocol (RDP)’).
  • [T1530 ] Data from Cloud Storage – Collection of data from cloud storage using tools like Azure Storage Explorer (‘use Azure Storage Explorer to access cloud storage’).
  • [T1105 ] Ingress Tool Transfer – Downloading and staging tools and payloads on compromised hosts (‘Interlock deploys a fake Chrome executable… executes a PowerShell script that drops a file into the Windows Startup folder’).
  • [T1219 ] Remote Access Tools – Use of remote support and RAT tools (AnyDesk, PuTTY, Interlock RAT, NodeSnake RAT) for remote control (‘For remote control and communication, Interlock uses tools like Cobalt Strike, SystemBC, and its own remote access trojans’).
  • [T1567.002 ] Exfiltration to Cloud Storage – Exfiltration of stolen files to attacker-controlled cloud blob storage using AzCopy/Azure blobs (‘use AzCopy to move stolen files to attacker-controlled Azure blobs’).
  • [T1048 ] Exfiltration Over Alternative Protocol – Use of alternative exfiltration methods and tools such as WinSCP and other file transfer tools (‘they also use WinSCP and other file transfer tools to exfiltrate data’).
  • [T1486 ] Data Encrypted for Impact – Encryption of victim data using AES and RSA and renaming files to signal impact (‘.interlock or .1nt3rlock’ appended to filenames). (‘This file encrypts both Windows and Linux systems using AES and RSA encryption.’).
  • [T1657 ] Financial Theft (Double-Extortion) – Double-extortion model: steal data first, threaten or publish stolen files on the “Worldwide Secrets Blog” to coerce payment (‘The group uses a double extortion model: it steals data before encrypting it, then threatens to leak it on its dark web site, “Worldwide Secrets Blog.”’).

Indicators of Compromise

  • [File hash ] Malware and tool hashes observed in samples and dropper files – 1.ps1fba4883bf4f73aa48a957d894051d78e0085ecc3170b1ff50e61ccec6aeee2cd, advanced_port_scanner.exe4b036cc9930bb42454172f888b8fde1087797fc0c9d31ab546748bd2496bd3e5, and 17 more hashes from the CISA list.
  • [File name ] Notable malicious filenames, payloads, and notes seen on compromised hosts – conhost.exe (encryption payload disguise), !__README__!.txt (ransom note), and files such as tmp41.wasd / removeme used to delete binaries.
  • [Leak site / Dark web ] Public leak and negotiation infrastructure – “Worldwide Secrets Blog” (ransom blog) and a Tor .onion address used for victim contact.


Read more: https://socradar.io/dark-web-profile-interlock-ransomware/