Interlock is a fast-evolving ransomware group active since late 2024 that uses advanced social engineering (ClickFix and FileFix) to trick users into running malicious PowerShell commands, conducts data theft before encryption, and publishes stolen data on its dark web site. The group targets high-value sectors (notably U.S. critical infrastructure and healthcare), uses RATs and tools like Cobalt Strike and SystemBC, and encrypts files with extensions such as .interlock. #Interlock #ClickFix
Keypoints
- Interlock first appeared around September 2024 and targets Windows, Linux, and FreeBSD systems, appending extensions like .interlock or .1nt3rlock to encrypted files.
- The group employs novel social engineering techniques â ClickFix (Windows Run dialog) and FileFix (File Explorer) â to get victims to paste and execute malicious PowerShell commands.
- Initial access is frequently achieved via drive-by downloads from compromised legitimate websites and fake software/security updates.
- Post-compromise tooling includes Interlock RAT, NodeSnake RAT, Cobalt Strike, SystemBC, AnyDesk, and credential stealers such as Lumma Stealer and Berserk Stealer for persistence and C2.
- Attackers steal credentials and data (keyloggers writing to conhost.txt, browser credential theft), move laterally via RDP/AnyDesk/PuTTY and Kerberoasting, then exfiltrate to cloud storage (Azure blobs) using Azure Storage Explorer and AzCopy.
- Ransom activity uses double extortion: encryption via AES/RSA, deletion of analysis artifacts (tmp41.wasd / removeme), ransom note !__README__!.txt, and publication of stolen data on the âWorldwide Secrets Blog.â
MITRE Techniques
- [T1189 ] Drive-By Compromise â Initial access through drive-by downloads from compromised legitimate websites (âInterlock actors gain access through drive-by downloads from compromised, legitimate websites.â).
- [T1204.004 ] User Execution: Malicious Copy and Paste â Social engineering prompting victims to copy/paste content into Run/File Explorer to execute PowerShell (âvictims are shown a fake CAPTCHA and told to copy and paste content into the Windows Run windowâ).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell â Execution of malicious PowerShell scripts for payload deployment, reconnaissance, and persistence (âthis action secretly runs a malicious PowerShell script, starting the infectionâ).
- [T1547.001 ] Registry Run Keys / Startup Folder â Persistence via dropped files in Startup folder and Registry run keys like âChrome Updaterâ (âdrops a file into the Windows Startup folder⌠modify the Windows Registry to add a run key named âChrome Updaterââ).
- [T1078.002 ] Valid Accounts: Domain Accounts â Use of stolen domain accounts for privilege escalation and lateral movement (âmay also target domain administrator accounts⌠to increase their access rights across the networkâ).
- [T1036.005 ] Masquerading â Use of fake or disguised executables (fake Chrome executable, conhost.exe) to hide malicious components (âdeploys a fake Chrome executable that acts as a remote access trojanâ).
- [T1218.011 ] Rundll32 Proxy Execution â Use of legitimate system utilities for proxy execution and defense evasion (article lists rundll32 proxy execution as a used technique).
- [T1070.004 ] File Deletion â Deleting ransomware binaries post-encryption to hinder analysis (tmp41.wasd and removeme execution to delete the ransomware binary: âtmp41.wasd is executed to delete the ransomware binaryâ).
- [T1003 ] Credential Dumping â Tools and actions to collect credentials from systems for lateral movement (âdownload tools like a credential stealer (cht.exe) ⌠gather usernames, passwordsâ).
- [T1555.003 ] Credentials from Web Browsers â Theft of browser-stored credentials using info stealers and browser data collection (âThese tools gather usernames, passwords, and browser dataâ).
- [T1056 ] Input Capture â Use of keyloggers and input-capture tools to record user input and credentials (âa keylogger (klg.dll)⌠saves keystrokes into a file named conhost.txtâ).
- [T1056.001 ] Keylogging â Specific deployment of keylogger components to capture keystrokes (âthe keylogger saves keystrokes into a file named conhost.txtâ).
- [T1558.003 ] Kerberoasting â Possible use of Kerberoasting to target domain admin credentials (âThey may also target domain administrator accounts, possibly using Kerberoasting attacksâ).
- [T1033 ] System Owner/User Discovery â Enumerating current user and system owner as part of reconnaissance (âchecking the current user, listing services and tasks, viewing system infoâ).
- [T1082 ] System Information Discovery â Gathering system information via scripts and PowerShell commands (âviewing system infoâ).
- [T1007 ] System Service Discovery â Listing system services to map running components (âlisting services and tasksâ).
- [T1016 ] Network Configuration Discovery â Network reconnaissance using commands like arp -a to identify other hosts (âThey also run arp -a to identify other machines on the networkâ).
- [T1078 ] Valid Accounts â Use of valid credentials acquired from stealers for lateral movement and persistence (âWith stolen credentials, Interlock moves laterally using Remote Desktop Protocol (RDP), AnyDesk, or PuTTYâ).
- [T1021.001 ] Remote Desktop Protocol (RDP) â Lateral movement using RDP sessions to access other machines (âmoves laterally using Remote Desktop Protocol (RDP)â).
- [T1530 ] Data from Cloud Storage â Collection of data from cloud storage using tools like Azure Storage Explorer (âuse Azure Storage Explorer to access cloud storageâ).
- [T1105 ] Ingress Tool Transfer â Downloading and staging tools and payloads on compromised hosts (âInterlock deploys a fake Chrome executable⌠executes a PowerShell script that drops a file into the Windows Startup folderâ).
- [T1219 ] Remote Access Tools â Use of remote support and RAT tools (AnyDesk, PuTTY, Interlock RAT, NodeSnake RAT) for remote control (âFor remote control and communication, Interlock uses tools like Cobalt Strike, SystemBC, and its own remote access trojansâ).
- [T1567.002 ] Exfiltration to Cloud Storage â Exfiltration of stolen files to attacker-controlled cloud blob storage using AzCopy/Azure blobs (âuse AzCopy to move stolen files to attacker-controlled Azure blobsâ).
- [T1048 ] Exfiltration Over Alternative Protocol â Use of alternative exfiltration methods and tools such as WinSCP and other file transfer tools (âthey also use WinSCP and other file transfer tools to exfiltrate dataâ).
- [T1486 ] Data Encrypted for Impact â Encryption of victim data using AES and RSA and renaming files to signal impact (â.interlock or .1nt3rlockâ appended to filenames). (âThis file encrypts both Windows and Linux systems using AES and RSA encryption.â).
- [T1657 ] Financial Theft (Double-Extortion) â Double-extortion model: steal data first, threaten or publish stolen files on the âWorldwide Secrets Blogâ to coerce payment (âThe group uses a double extortion model: it steals data before encrypting it, then threatens to leak it on its dark web site, âWorldwide Secrets Blog.ââ).
Indicators of Compromise
- [File hash ] Malware and tool hashes observed in samples and dropper files â 1.ps1fba4883bf4f73aa48a957d894051d78e0085ecc3170b1ff50e61ccec6aeee2cd, advanced_port_scanner.exe4b036cc9930bb42454172f888b8fde1087797fc0c9d31ab546748bd2496bd3e5, and 17 more hashes from the CISA list.
- [File name ] Notable malicious filenames, payloads, and notes seen on compromised hosts â conhost.exe (encryption payload disguise), !__README__!.txt (ransom note), and files such as tmp41.wasd / removeme used to delete binaries.
- [Leak site / Dark web ] Public leak and negotiation infrastructure â âWorldwide Secrets Blogâ (ransom blog) and a Tor .onion address used for victim contact.
Read more: https://socradar.io/dark-web-profile-interlock-ransomware/