Interlock Ransomware Adapts with New Deceptive Tactics and Tools

Article Highlights
Off On

Since its emergence in late September 2024, the ransomware group known as Interlock has steadily gained notoriety for its cunning and innovative strategies. Despite its relatively modest number of victims, Interlock has made a significant impact with its sophisticated attacks, particularly targeting sectors in North America and Europe. One of their most notable incidents involved the breach of nearly 1.5 million patients’ records at Texas Tech University Health Sciences Center. The continual evolution and refinement of their methods have allowed Interlock to remain a prominent threat in the digital landscape.

Deceptive Tactics and Social Engineering

Interlock initially relied on tricking victims through fake browser updates for popular browsers such as Google Chrome and Microsoft Edge. However, beginning in January, the group expanded its repertoire to include counterfeit security software updates. These updates masqueraded as legitimate products such as FortiClient, Ivanti Secure Access, and Palo Alto Networks Global Protect. This shift in strategy demonstrated the group’s adaptability and their commitment to refining their deceptive methods. Adding to their arsenal, Interlock adopted the ClickFix social-engineering technique. This method involves using fake CAPTCHA prompts to deceive victims into copying and pasting malicious PowerShell commands into their Windows terminal. This technique, which has gained popularity since August 2024, has also been employed by other notorious threat actors, including the North Korean group Lazarus. By utilizing compromised legitimate websites to present these fake CAPTCHAs, Interlock has been successful in leading victims to install a PyInstaller file that deploys a PowerShell backdoor. Interestingly, no additional payloads were observed being installed via this backdoor, suggesting that Interlock was experimenting with this innovative approach without fully exploiting its potential.

Tools of the Trade

In its bid to maintain relevance and avoid the high visibility associated with more prolific ransomware groups, Interlock has developed and deployed a variety of tools such as keyloggers and infostealers. Noteworthy among these tools are BerserkStealer and LummaStealer, with LummaStealer being a prominent malware-as-a-service offering since 2022. These tools allow Interlock to gather sensitive information from victims, furthering their reach and potential impact. The group’s deliberate effort to refine their tools and tactics underscores their commitment to remaining a significant threat in the ransomware landscape.

In addition to keyloggers and infostealers, Interlock employs a custom ransomware for both Windows and Linux systems. This ransomware variant is paired with a unique remote access trojan (RAT) backdoor called Interlock RAT. This backdoor facilitates lateral movement within compromised networks. For this purpose, the group relies on the remote desktop protocol (RDP) and credentials harvested from their infostealers. Furthermore, tools like PuTTY and AnyDesk have been utilized by Interlock for remote access, providing them with the means to effectively navigate and manipulate victim systems.

Evolving Strategies and Implications for Victims

Interlock’s recent revisions to its ransom note mark a strategic shift, highlighting potential legal liabilities for companies if their stolen data is leaked. This tactic underscores the psychological pressure exerted on victims to comply with ransom demands. A notable attack earlier this month targeted the National Defense Corporation, a subsidiary of National Presto Industries. Interlock claimed to have stolen nearly 3 million files from the corporation, thereby raising concerns about the scope and severity of their attacks.

The evolving nature of Interlock’s tactics and strategies reflects a keen understanding of the cyber threat landscape. By continually refining their approaches and leveraging sophisticated social-engineering techniques, Interlock has managed to carve out a niche for themselves, positioning themselves as a resilient and adaptive threat actor. Their ability to adapt and experiment with new methods, such as the ClickFix technique, illustrates a forward-thinking mindset that keeps them one step ahead of traditional defenses.

Conclusion: Addressing the Persistent Threat

Since its appearance in late September 2024, the ransomware group Interlock has been steadily gaining a fearsome reputation due to its clever and innovative tactics. Although it has a relatively small number of victims compared to other groups, Interlock has left a significant mark through its sophisticated cyberattacks, particularly focusing on sectors in North America and Europe. One major incident that brought widespread attention to Interlock involved the breach of almost 1.5 million patient records at Texas Tech University Health Sciences Center. The group has continually adapted and refined its methods, allowing it to stay relevant and dangerous in the ever-changing digital landscape. Interlock’s ability to evolve and implement new strategies makes it a persistent threat to cybersecurity. Their operations have raised alarms, pushing organizations to improve their defenses and stay vigilant against such advanced threats. As long as Interlock continues to innovate, it remains a formidable adversary in the realm of cybersecurity.

Explore more

Why Should Leaders Invest in Employee Career Growth?

In today’s fast-paced business landscape, a staggering statistic reveals the stakes of neglecting employee development: turnover costs the median S&P 500 company $480 million annually due to talent loss, underscoring a critical challenge for leaders. This immense financial burden highlights the urgent need to retain skilled individuals and maintain a competitive edge through strategic initiatives. Employee career growth, often overlooked

Making Time for Questions to Boost Workplace Curiosity

Introduction to Fostering Inquiry at Work Imagine a bustling office where deadlines loom large, meetings are packed with agendas, and every minute counts—yet no one dares to ask a clarifying question for fear of derailing the schedule. This scenario is all too common in modern workplaces, where the pressure to perform often overshadows the need for curiosity. Fostering an environment

Embedded Finance: From SaaS Promise to SME Practice

Imagine a small business owner managing daily operations through a single software platform, seamlessly handling not just inventory or customer relations but also payments, loans, and business accounts without ever stepping into a bank. This is the transformative vision of embedded finance, a trend that integrates financial services directly into vertical Software-as-a-Service (SaaS) platforms, turning them into indispensable tools for

DevOps Tools: Gateways to Major Cyberattacks Exposed

In the rapidly evolving digital ecosystem, DevOps tools have emerged as indispensable assets for organizations aiming to streamline software development and IT operations with unmatched efficiency, making them critical to modern business success. Platforms like GitHub, Jira, and Confluence enable seamless collaboration, allowing teams to manage code, track projects, and document workflows at an accelerated pace. However, this very integration

Trend Analysis: Agentic DevOps in Digital Transformation

In an era where digital transformation remains a critical yet elusive goal for countless enterprises, the frustration of stalled progress is palpable— over 70% of initiatives fail to meet expectations, costing billions annually in wasted resources and missed opportunities. This staggering reality underscores a persistent struggle to modernize IT infrastructure amid soaring costs and sluggish timelines. As companies grapple with