Skip to Main Content

Article

Interlock: An Emerging Ransomware Threat

Share

First observed in September 2024, the Interlock ransomware group is targeting Windows and more recently, Linux systems, utilizing big-game hunting and double-extortion tactics. This group has impacted a range of industries, including healthcare, technology, government, and manufacturing across the U.S. and European landscape. After infiltrating a target system, the Interlock ransomware operators encrypt files and append an .interlock extension. In addition to encryption, the group exfiltrates sensitive data, threatening to release it unless a ransom is paid.
 

What’s Notable and Unique

     

  • Interlock ransomware attacks observed by Arete involved multiple components in the delivery chain, including the use of a SystemBC RAT, PowerShell scripts, a credential stealer, and a keylogger before the ransomware encryptor binary was deployed and activated.
  • Interlock ransomware utilizes Remote Desktop Protocol (RDP) for lateral movement within the victim’s network, along with tools like AnyDesk and PuTTY.
  • For data exfiltration, Interlock ransomware leverages Azure Storage Explorer and the AZCopy utility to transfer stolen data to an attacker-controlled Azure storage blob. It has also employed tools like MegaSync and Advanced Port Scanner in attacks.

 

Analyst Comments

 
The emergence of Interlock ransomware represents a significant shift in the cyber threat landscape, with its focus on big-game hunting and the use of double-extortion tactics. The group’s attacks are characterized by a sophisticated delivery chain, combining various techniques, including the use of remote access tools, PowerShell scripts, and data exfiltration methods. Many of these tactics, techniques, and procedures (TTPs) overlap with tactics displayed by Rhysidia ransomware, indicating a potential rebrand by the threat actor. Notably, a recent attack by Interlock spanned 17 days from initial compromise to the deployment of the ransomware encryptor binary, demonstrating an extended persistence within the victim’s network and highlighting the advanced nature of this threat.

Sources

Arete Internal Data

Unwrapping the emerging Interlock ransomware attack

Meet Interlock — The new ransomware targeting FreeBSD servers

INTERLOCK Ransomware

Related Resources

  • article

    Chinese Threat Actor Activity Drives US Government Recommendation for Encrypted Communications

    FBI and CISA urge encrypted mobile use after Salt Typhoon cyberattacks target U.S. telecom providers for espionage.

    Read more
  • article

    Managed Detection and Response: A Cornerstone of a Multi-Pronged Approach to Security

    The barrier of entry into cybercrime has become significantly lower in recent years, with artificial intelligence, leaked source code, and Cybercrime-as-a-Service tools enabling even less experienced threat actors to execute damaging attacks.

    Read more
  • article

    Threat Actors Attempting to Sell Data While Extorting Victims

    Discover how cyber threat actors like "wonder" and "M0riarty" monetize stolen data through BreachForums and ransomware tactics.

    Read more