Threat Research

Interlock ransomware evolving under the radar

SekoiaIO
Interlock ransomware evolving under the radar

The Interlock ransomware group, first observed in September 2024, has emerged as a significant cyber threat, employing tactics such as Big Game Hunting and double extortion. Unlike many ransomware organizations, it does not operate as a Ransomware-as-a-Service (RaaS) group and features a Data Leak Site called “Worldwide Secrets Blog” for negotiation and data exposure. Interlock’s attacks involve compromised websites delivering fake software updates, which in turn deploy PowerShell backdoors and other malicious tools. Although it has claimed relatively few victims compared to other groups, its targeted industries suggest an opportunistic approach. Affected: North America, Europe, various sectors.

Keypoints :

  • Interlock is a ransomware set noted for its Big Game Hunting and double extortion tactics.
  • It operates without affiliates, as there’s no evidence of Ransomware-as-a-Service advertisements.
  • The group utilizes a Data Leak Site for victim data exposure and ransom negotiations.
  • Since its inception, Interlock has claimed 24 victims, exhibiting a low victim count compared to other ransomware groups.
  • The attack methodology begins with fake installers masquerading as legitimate software updates.
  • Interlock operators show continual evolution of tools, incorporating techniques like ClickFix and deploying various malware types.
  • The group uses phishing tactics and social engineering via misleading prompts to deliver malware.
  • Obfuscated PowerShell scripts function as backdoors, facilitating further malicious actions.
  • Credential-stealing malware is employed to gather sensitive data for lateral movement and privilege escalation.
  • Interlock ransomware targets both Windows and Linux systems, with a focus on encrypting critical files.

MITRE Techniques :

  • T1193: Spear Phishing Link – Attackers use fraudulent web links to trick users into downloading malicious software.
  • T1071.001: Application Layer Protocol: Web Protocols – Use of HTTP/HTTPS for C2 communication and delivering payloads.
  • T1059.001: Command and Scripting Interpreter: PowerShell – Deployment of PowerShell backdoors and scripts for exploitation.
  • T1056.001: Input Capture: Keylogger – Utilization of keylogging malware to capture sensitive information.
  • T1203: Exploitation for Client Execution – Deployment of fake updaters that exploit user action to execute malicious scripts.

Indicator of Compromise :

  • [URL] http://topsportracing[.]com/wp-25
  • [Domain] trycloudflare[.]com
  • [IP Address] 216.245.184[.]181
  • [IP Address] 212.237.217[.]182
  • [IP Address] 168.119.96[.]41

Full Story: https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/