Interlock Ransomware Emerging as a New Force

A relatively new ransomware group called Interlock recently has been targeting high-profile organizations using a double-extortion model to squeeze as much money as possible from each victim. Interlock has only been in the public eye for a couple of months now but researchers have observed the group hitting organizations in a number of industries, including manufacturing, tech, health care, and government. 

In a recent incident, researchers from Cisco Talos observed Interlock actors spending more than two weeks inside a victim’s network before actually deploying the ransomware. The initial access vector in this intrusion was via a malicious fake Google Chrome update file that was hosted on a legitimate news site. 

“Talos IR discovered the fake browser updater executable is a Remote Access Tool (RAT) that automatically executes an embedded PowerShell script when downloaded and run. The script initially downloads a legitimate Chrome setup executable “ChromeSetup.exe” to the victim machine’s applications temporary folder and established persistence by dropping a Windows shortcut file in the Windows StartUp folder with the file name “fahhs.lnk” configured to run the RAT every time the victim logs in, establishing persistence,” the Talos analysis of the Interlock intrusion says.

The RAT that’s installed on the compromised machine collects a wide range of information from the computer and then sends it to a remote server. The malware then downloads two other tools, a keylogger and a credential stealer. At some point the Interlock actor also disabled the EDR software on the machine and then used RDP to move laterally across the network and use some compromised credentials to gain access to other accounts. 

“The attacker deployed the Interlock ransomware encryptor binary with the file name “conhost.exe”, masquerading as a legitimate file, onto the victim machine and stored it in a folder named with a single digit number (example: “3” or “4”) in the user profile application data temporary folder. When run, the ransomware encrypts the targeted files on the victim machine with the file extension “.Interlock” and drops the ransom note “!__README__!.txt” file in every folder containing files that the encryptor has attempted to encrypt,” the analysis says. 

Interlock ransomware has both Windows and Linux variants and the group exfiltrates data from the victim networks before deploying the ransomware. The group also maintains a public leak site to shame and pressure victims into paying the ransoms. The Talos researchers identified some similarities between the Interlock ransomware and the older Rhysida variant. 

“We discovered code overlaps in the binaries of Interlock and Rhysida ransomware samples. Notably, the files and folders exclusion list hardcoded in the Windows variant of the Interlock ransomware has similarities with the exclusion list in Rhysida ransomware, reported by Talos in an August 2023 Threat Advisory,” the analysis says. 

There’s also some similarities in tools and TTPs between the two groups, and the Talos researchers posited that Interlock may be a spinoff from the Rhysida group.