X-Industry

Interlock Ransomware

Posted by CyberDog on December 4, 2024 at 12:00pm

13236522289?profile=RESIZE_400xFortiGuard Labs gathers data on ransomware variants of interest that are gaining traction within its datasets and the OSINT community. The report below provides brief insights into the evolving ransomware landscape.

Interlock Ransomware Overview - Interlock is a new ransomware variant that was first publicly discovered in an available file-scanning site in early October 2024. This could indicate that the ransomware emerged as early as September. The Interlock ransomware comes in Windows and FreeBSD versions. It encrypts files on victims' machines and demands a ransom to decrypt them via dropped ransom notes.

13236533498?profile=RESIZE_710xFigure 1: Login screen of the Interlock ransomware’s negotiation site

13236542872?profile=RESIZE_710xFigure 2: Interlock ransomware’s ransom negotiation page

Infection Vector - While the initial infection vector of the Interlock ransomware has not been identified, researcher Sina Kheirkhah (@SinSinology) reported that a previously unknown backdoor was found on a victim’s machine. It is possible that the ransomware was deployed through this backdoor.
Attack Method - Windows Version of Interlock Ransomware. The Windows version of the ransomware claims to support the following versions of Windows:
• Windows Vista
• Windows 7
• Windows 8
• Windows 8.1
• Windows 10

The Interlock ransomware takes the following parameters on execution:
• -d, --directory
• -f, --file
• -del, --delete
• -s, --system

13236572254?profile=RESIZE_710xOnce executed, the Interlock ransomware encrypts files on victims’ machines and drops a ransom note labeled “!__README__!.txt”.
13236585694?profile=RESIZE_710xFigure 3: The Interlock ransomware’s ransom note

Files encrypted by the Interlock ransomware will have a “.interlock” file extension.

13236600474?profile=RESIZE_584xFigure 4: Files encrypted by the Interlock ransomware

The ransomware is designed to exclude the following files and filetypes from file encryption:
.bat .bin .cab .cmd .com .cur
.diagcab .diagcfg .diagpkg .drv .hlp .hta
.ico .msi .ocx .psm1 .scr .sys
.ini Thumbs.db .url .dll .exe .ps1
It also excludes the following folders from file encryption:
$Recycle.Bin Boot Documents and Settings PerfLogs
ProgramData Recovery System Volume Information Windows
It also creates a scheduled task named "TaskSystem":
schtasks /create /sc DAILY /tn "TaskSystem" /tr "cmd /C cd %s && %s" /st 20:00 /ru system > nul
The above script creates a new scheduled task, TaskSystem, that runs daily at 20:00 using the System account.
FreeBSD Version of the Interlock Ransomware. The FreeBSD version of the ransomware takes parameters on execution:
• -d, --directory
• -f, --file
• -del, --delete
• -s, --system
Once the ransomware is executed, it encrypts files on victims' machines using the AES-CBC encryption algorithm and adds an ".interlock" extension to the encrypted files. The ransomware then leaves a text file containing the same ransom note as the Windows version.

The FreeBSD version of the Interlock ransomware skips files with an “.interlock” extension from file encryption.

It also excludes the following directories from file encryption:
/bin /boot /cdrom /dev /etc /home
/lib /lib32 /lib64 /libx32 /lost+found /media
/mnt /opt /proc /run /root /sbin
/snap /srv /sys /tmp /usr /var
It also avoids encrypting the following file:
• boot.cfg

Victimology—At the time of our investigation, the Interlock ransomware data leak site listed six victims. Five were in the United States, and the other was in Italy. However, submission data to the publicly available scanning service potentially shows even broader victim locations. Interlock ransomware samples from India, Italy, Japan, Germany, Peru, South Korea, Turkey, and the United States have been submitted.
The victims are in the education, finance, government, healthcare, and manufacturing sectors, indicating that Interlock ransomware does not have a policy of avoiding targeting essential businesses and organizations, as some other ransomware groups have.

13236662292?profile=RESIZE_400xFigure 5: A list of the Interlock ransomware victims on the data leak site
Each victim has a page describing the victim’s organization and lists stolen and leaked files.

13236667662?profile=RESIZE_400xFigure 6: A victim’s page on the Interlock ransomware’s TOR site
Data Leak Site - The Interlock ransomware runs its data leak site on TOR, which is divided into the following four sections:
• Home
• About – contains an FAQ
• DATA LEAK – includes a list of victims
• Help – includes contact information

13236672700?profile=RESIZE_400xFigure 7: Top page of the Interlock ransomware’s TOR site

13236688869?profile=RESIZE_584xFigure 8: “About Us” on the Interlock ransomware’s TOR site
13236706864?profile=RESIZE_710xFigure 9: “Help” page on the Interlock ransomware’s TOR site
IOCs - Interlock Ransomware File IOCs
SHA2 Note
a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642 Interlock ransomware (Windows version)
28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f Interlock ransomware (FreeBSD version)
e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1
f00a7652ad70ddb6871eeef5ece097e2cf68f3d9a6b7acfbffd33f82558ab50e
IOCs of the backdoor malware reported by Sina Kheirkhah (@SinSinology)
SHA2 Note
e9ff4d40aeec2ff9d2886c7e7aea7634d8997a14ca3740645fd3101808cc187b Backdoor malware allegedly found on the Interlock ransomware victim’s machine
7d750012afc9f680615fe3a23505f13ab738beef50cd92ebc864755af0775193
6933141fbdcdcaa9e92d6586dd549ac1cb21583ba9a27aa23cf133ecfdf36ddf

Best Practices Include Not Paying a Ransom - Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424

Views: 98
Tags: ir-24-337-001, ransomware, online support, “interlock” file extension, fbi
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!