Skip to content

Interlock ransomware gang targets big organisations across sectors

  • by
  • 4 min read

Illustration: JMiks | Shutterstock

A new ransomware group, dubbed ‘Interlock,’ has emerged on the cyber threat landscape. It executes high-profile attacks across diverse industries, including healthcare, technology, government, and manufacturing. First reported in September 2024, the group has adopted a ‘big-game hunting’ approach, targeting large organisations to maximise profits.

Moreover, the group maintains a data leak site named Worldwide Secrets Blog, which hosts stolen data and communication channels for extortion demands. This emphasises their commitment to coercing victims through both data exposure threats and direct interaction.

Interlock’s operations begin with a deceptive initial access method: victims are tricked into downloading a Remote Access Tool (RAT) disguised as a legitimate Google Chrome updater from compromised websites. This tool serves as a gateway, enabling attackers to gain persistent access by embedding the RAT in the startup files of compromised devices.

Interlock website. | Source: Cisco

The malware downloads a legitimate Chrome setup file to avoid suspicion while installing a malicious shortcut that reactivates the RAT each time the user logs in.

Once installed, the RAT initiates information-gathering commands to harvest sensitive details about the victim’s system, including hardware and network configurations. These details are encrypted and transmitted to the attackers’ command-and-control (C2) server, which operates through a domain masked by Cloudflare services.

The RAT’s capabilities extend beyond data collection, allowing the attackers to download and activate a keylogger and credential-stealing software, laying the foundation for broader infiltration.

Researchers discovered that attackers systematically disabled endpoint detection and response (EDR) tools on compromised systems. This evasion is achieved through either an uninstaller tool or by exploiting a vulnerable device driver, which then allows them to disable security software undetected.

Interlock ransomware timeline. | Source: Cisco

Additionally, Interlock deletes event logs on targeted systems, erasing evidence and hindering forensic investigations.

Interlock’s tactics also include deploying credential-stealing malware written in the Golang programming language. This malware extracts login data from various web browsers, securing usernames, passwords, and associated URLs in a text file stored locally on the victim’s device. Alongside this, a keylogger records keystrokes to capture sensitive information input by the victim.

With access to these credentials, researchers found that Interlock can laterally move across the compromised network, using tools such as Remote Desktop Protocol (ADP), AnyDesk, and potentially LogMeIn, to expand their reach. Notably, the attackers also install PuTTY to access Linux-based systems, demonstrating their ability to compromise both Windows and Linux environments.

Once access to valuable data is established, Interlock uses tools like Azure Storage Explorer and AzCopy to transfer sensitive files to remote storage, ensuring exfiltrated data is securely held offsite. They then deploy their ransomware payload, named “conhost.exe,” to encrypt targeted files.

The Interlock support system requires users to enter the organisation ID to receive a sixty-digit unique token generated for each victim.

This payload, available in Windows (PE format) and Linux (ELF format) variants, employs complex encryption methods. The Windows version uses Cipher Block Chaining (CBC) for data encryption, while the Linux variant can employ CBC or RSA encryption techniques.

Both variants selectively target and exclude certain directories and file types, ensuring critical system files remain accessible and facilitating ransom negotiations.

Once files are encrypted, Interlock places a ransom note, ‘!README!.txt,’ in affected directories. The note demands that victims contact the attackers via an onion site within 96 hours, warning that failure to comply will lead to data leaks and public disclosure.

In the News: WazirX to launch decentralised crypto exchange and recovery tokens

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>