Threat analysts have observed a new ransomware group called Interlock conducting targeted attacks across sectors, including US healthcare, IT and government, and European manufacturing. According to a recent report by Cisco Talos, Interlock employs “big-game hunting” and double extortion tactics, where compromised data is stolen and threatened to be released publicly unless a ransom is paid.
This group operates a data leak site called “Worldwide Secrets Blog” to publish stolen data. It offers victim support through chat options, showcasing a systematic approach to targeting vulnerabilities in organizations’ cybersecurity. Cisco Talos identified that Interlock’s attack chain generally spans around 17 days, during which they gain unauthorized access and deploy ransomware to encrypt files.
Initial access often comes through a fake Google Chrome browser updater that installs a remote access tool (RAT) disguised as a legitimate update. Upon execution, this RAT collects detailed system information, establishes a secure connection to a command-and-control (C2) server, and transmits encrypted data. This RAT also installs a credential-stealing component, allowing Interlock to capture login details for online accounts. Interlock’s arsenal extends beyond simple data collection. The group effectively evades detection by disabling Endpoint Detection and Response (EDR) and clearing event logs.
Lateral movement is achieved via Remote Desktop Protocol (RDP) and other remote access tools, suggesting Interlock has developed tactics for reaching different systems within a network, potentially including Linux hosts. The encryption stage employs both Windows and Linux variants of the Interlock ransomware, and both versions rely on a cryptographic library called LibTomCrypt.
Interlock’s attack routines bypass crucial system folders and specific file extensions to avoid system instability. Windows systems use Cipher Block Chaining (CBC) encryption.
In contrast, Linux systems may utilize CBC or RSA encryption.
Talos’ analysis also noted a potential connection between Interlock and Rhysida ransomware groups, citing overlapping attack techniques, tools, and code. Both groups, for example, use the AzCopy tool to transfer stolen data to remote storage and deploy ransom notes with similar themes, presenting themselves as “helpful” breach informants rather than overt threats.
See: https://redskyalliance.org/xindustry/qakbot-down-but-rhysida-is-not
This trend toward operational diversification and collaboration across ransomware groups reflects broader patterns in the cyber threat landscape, where threat actors increasingly share resources to advance their capabilities.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
Comments