Interlock Ransomware Adapts with New Deceptive Tactics and Tools

Article Highlights
Off On

Since its emergence in late September 2024, the ransomware group known as Interlock has steadily gained notoriety for its cunning and innovative strategies. Despite its relatively modest number of victims, Interlock has made a significant impact with its sophisticated attacks, particularly targeting sectors in North America and Europe. One of their most notable incidents involved the breach of nearly 1.5 million patients’ records at Texas Tech University Health Sciences Center. The continual evolution and refinement of their methods have allowed Interlock to remain a prominent threat in the digital landscape.

Deceptive Tactics and Social Engineering

Interlock initially relied on tricking victims through fake browser updates for popular browsers such as Google Chrome and Microsoft Edge. However, beginning in January, the group expanded its repertoire to include counterfeit security software updates. These updates masqueraded as legitimate products such as FortiClient, Ivanti Secure Access, and Palo Alto Networks Global Protect. This shift in strategy demonstrated the group’s adaptability and their commitment to refining their deceptive methods. Adding to their arsenal, Interlock adopted the ClickFix social-engineering technique. This method involves using fake CAPTCHA prompts to deceive victims into copying and pasting malicious PowerShell commands into their Windows terminal. This technique, which has gained popularity since August 2024, has also been employed by other notorious threat actors, including the North Korean group Lazarus. By utilizing compromised legitimate websites to present these fake CAPTCHAs, Interlock has been successful in leading victims to install a PyInstaller file that deploys a PowerShell backdoor. Interestingly, no additional payloads were observed being installed via this backdoor, suggesting that Interlock was experimenting with this innovative approach without fully exploiting its potential.

Tools of the Trade

In its bid to maintain relevance and avoid the high visibility associated with more prolific ransomware groups, Interlock has developed and deployed a variety of tools such as keyloggers and infostealers. Noteworthy among these tools are BerserkStealer and LummaStealer, with LummaStealer being a prominent malware-as-a-service offering since 2022. These tools allow Interlock to gather sensitive information from victims, furthering their reach and potential impact. The group’s deliberate effort to refine their tools and tactics underscores their commitment to remaining a significant threat in the ransomware landscape.

In addition to keyloggers and infostealers, Interlock employs a custom ransomware for both Windows and Linux systems. This ransomware variant is paired with a unique remote access trojan (RAT) backdoor called Interlock RAT. This backdoor facilitates lateral movement within compromised networks. For this purpose, the group relies on the remote desktop protocol (RDP) and credentials harvested from their infostealers. Furthermore, tools like PuTTY and AnyDesk have been utilized by Interlock for remote access, providing them with the means to effectively navigate and manipulate victim systems.

Evolving Strategies and Implications for Victims

Interlock’s recent revisions to its ransom note mark a strategic shift, highlighting potential legal liabilities for companies if their stolen data is leaked. This tactic underscores the psychological pressure exerted on victims to comply with ransom demands. A notable attack earlier this month targeted the National Defense Corporation, a subsidiary of National Presto Industries. Interlock claimed to have stolen nearly 3 million files from the corporation, thereby raising concerns about the scope and severity of their attacks.

The evolving nature of Interlock’s tactics and strategies reflects a keen understanding of the cyber threat landscape. By continually refining their approaches and leveraging sophisticated social-engineering techniques, Interlock has managed to carve out a niche for themselves, positioning themselves as a resilient and adaptive threat actor. Their ability to adapt and experiment with new methods, such as the ClickFix technique, illustrates a forward-thinking mindset that keeps them one step ahead of traditional defenses.

Conclusion: Addressing the Persistent Threat

Since its appearance in late September 2024, the ransomware group Interlock has been steadily gaining a fearsome reputation due to its clever and innovative tactics. Although it has a relatively small number of victims compared to other groups, Interlock has left a significant mark through its sophisticated cyberattacks, particularly focusing on sectors in North America and Europe. One major incident that brought widespread attention to Interlock involved the breach of almost 1.5 million patient records at Texas Tech University Health Sciences Center. The group has continually adapted and refined its methods, allowing it to stay relevant and dangerous in the ever-changing digital landscape. Interlock’s ability to evolve and implement new strategies makes it a persistent threat to cybersecurity. Their operations have raised alarms, pushing organizations to improve their defenses and stay vigilant against such advanced threats. As long as Interlock continues to innovate, it remains a formidable adversary in the realm of cybersecurity.

Explore more

Trend Analysis: Citrix NetScaler Infrastructure Security

The modern enterprise perimeter has shifted from a physical boundary to a complex digital handshake, yet the very devices orchestrating this trust have become the most targeted vulnerabilities in the global infrastructure. This evolution represents a fundamental change in how threat actors perceive the value of edge networking components, moving away from simple traffic routing toward the control of identity

Can Integrated HR Systems End the Manual Paper Chase?

For many human resources departments operating in an era of rapid digital transformation, the promise of a paperless office has often felt more like a distant dream than a tangible reality. Many organizations are surprised to find themselves trapped in a manual paper chase that feels decades old despite their use of modern software. For a mid-sized organization, hiring just

Cloudflare Redefines the AI-Publisher Relationship

The rapid transformation of the digital landscape has reached a critical juncture where automated web traffic now accounts for more than fifty percent of all global internet requests. This shift marks a significant departure from the early days of the web, where a simple exchange of content for search visibility defined the relationship between publishers and technology companies. Today, the

Anthropic Redeploys Claude Models After US Security Review

The rapid acceleration of large language model capabilities has prompted a significant reassessment of how advanced artificial intelligence is vetted before reaching the public and sensitive government sectors. In an environment where a single breakthrough can shift the global balance of power, the decision to pause and scrutinize the Claude 3.5 and subsequent 4.0 iterations represented a pivotal moment for

Samsung Projected to Overtake NVIDIA as Most Profitable Firm

The Rise of a New Financial Titan in the Tech Industry The global technology hierarchy is witnessing a monumental transformation as manufacturing giants reclaim the throne from design-centric firms. While the artificial intelligence boom has long been synonymous with chip designers, the financial gravity is shifting toward the infrastructure providers. Samsung Electronics is now positioned to surpass NVIDIA as the