Interlock Ransomware Targeting Businesses

MITRE Techniques

• [T1490] Data Encrypted for Impact – Interlock encrypts files using AES-256-GCM and embeds RSA-4096-wrapped keys at the end of files to prevent local recovery (“the symmetric key and initial value IV are encrypted using RSA-4096 public key and inserted at the end of the file”).
• [T1027] Obfuscated Files or Information – The ransomware obfuscates main code and performs code patching at execution so original code appears only in memory to evade analysis (“initially encrypts or obfuscates the main code and hides it, only to perform code patching at the execution time to release it in memory”).
• [T1070.004] File Deletion – The malware can self-delete when invoked with the ‘-del’ argument (“-del Self-delete”).
• [T1059] Command and Scripting Interpreter – Interlock accepts command-line arguments to control behaviors such as encrypting a folder or single file and forcing encryption (“-d Attempt to encrypt specified folder”, “-f Encrypt one file only”, “-r Attempt to encrypt forcibly”).
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The ransomware can create and run a scheduled task for privilege escalation using the ‘-s’ argument (“-s Create and run task scheduler (privilege escalation)”).
• [T1218] Signed Binary Proxy Execution – The malware terminates processes being encrypted to allow file modification, indicating use of process manipulation to achieve file access (“the agent performs the action to terminate the processes that are being encrypted, if the ‘-r’ argument exists”).
• [T1486] Data Encrypted for Impact (Ransom Note) – The group drops a ransom note that includes a Tor negotiation URL and threatens regulatory exposure to coerce victims (“The ransom note includes the negotiation site URL based on the Tor network … warns of the potential violation of major legal regulations such as GDPR, GLBA, HIPAA…”).