The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory today warning of the growing threat of Interlock ransomware.
The Interlock ransomware variant first appeared in late September 2024, and while the FBI-CISA advisory doesn’t say how many victims the group has claimed, Cyble threat intelligence researchers have documented 50 Interlock victims to date. Interlock claimed 13 victims in June, according to Cyble, double its previous monthly high, making the agencies’ advisory particularly timely.
The advisory looks at Interlock ransomware indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs), based on FBI investigations and other sources. The FBI and CISA were joined in the advisory by the Department of Health and Human Services (HHS) and Multi-State Information Sharing and Analysis Center (MS-ISAC).
Interlock Ransomware Targets VMs
Interlock ransomware actors have targeted businesses, critical infrastructure, and other organizations in North America and Europe, based on opportunity and financial motivations, the FBI and CISA said.
Interlock ransomware encryptors have been observed both for Windows and Linux operating systems, encrypting virtual machines (VMs) across both operating systems. Initial access has come via drive-by download from compromised legitimate websites, “an uncommon method among ransomware groups,” the advisory said. The ransomware group has also used the ClickFix social engineering technique for initial access.
While Interlock actors have been focused on encrypting VMs, it’s possible the group could expand their targets to hosts, workstations, and physical servers in the future. The agencies recommend “robust endpoint detection and response (EDR) tooling and capabilities” to counter the VM threat.
The agencies said they’re aware of reports detailing similarities between the Rhysida and Interlock ransomware variants.
Interlock Ransomware TTPs
One Interlock initial access method has been via fake Google Chrome or Microsoft Edge browser updates, although researchers recently noticed a shift to payload filenames “masquerading as updates for common security software,” CISA and the FBI said.
The fake Google Chrome browser executable functions as a remote access trojan (RAT) that executes a PowerShell script to drop a file into the Windows Startup folder that is designed to run the RAT every time the victim logs in to establish persistence. A PowerShell command that establishes persistence through a Windows Registry key modification has also been observed.
For reconnaissance, a PowerShell script executes a series of commands to gather information on victim machines, and applications like Cobalt Strike and SystemBC have been used for command and control, along with Interlock RAT and NodeSnake RAT.
Once Interlock actors have established remote control of a compromised system, they download a credential stealer (cht.exe) and keylogger binary (klg.dll), and have also been observed using Lumma Stealer and Berserk Stealer to harvest credentials for lateral movement and privilege escalation.
The ransomware actors use compromised credentials and Remote Desktop Protocol (RDP) to move between systems. They’ve used AnyDesk for remote connectivity and PuTTY for lateral movement. The ransomware group has also compromised domain administrator accounts, possibly via Kerberoasting attacks.
Defending Against Interlock Ransomware
The advisory contained a long list of cybersecurity defenses for preventing Interlock ransomware attacks, including:
- Implementing domain name system (DNS) filtering to block users from accessing malicious sites and applications
- Implementing web access firewalls to prevent unknown commands or process injection from malicious domains or websites
- Keeping multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location
- Following NIST password standards and requiring multi-factor authentication
- Keeping operating systems, software, and firmware up to date, prioritizing known exploited vulnerabilities in internet-facing systems
- Segmenting networks to prevent lateral movement and the spread of ransomware
- Implement network monitoring, traffic filtering and EDR tools
- Reviewing domain controllers, servers, workstations, and active directories for new or unrecognized accounts, and applying least privilege principles
- Disabling unused ports, as well as hyperlinks in received emails
- Disabling command line and scripting activities and permissions
- Maintain offline backups of data and ensure that all backup data is encrypted, immutable, “and covers the entire organization’s data infrastructure.”
