Unwrapping the emerging Interlock ransomware attack

Nov. 7, 2024, 9:07 p.m.

Description

A new ransomware group called Interlock has emerged, targeting various sectors with big-game hunting and double extortion attacks. The group uses a sophisticated delivery chain including a RAT disguised as a browser updater, PowerShell scripts, credential stealers, and keyloggers. They primarily move laterally through RDP and exfiltrate data using Azure Storage Explorer. The Interlock ransomware encrypts files with the .Interlock extension and drops ransom notes. The attackers claim to exploit unaddressed vulnerabilities and justify their actions as holding companies accountable for poor cybersecurity. Analysis suggests possible links to the Rhysida ransomware group based on similarities in tactics and code. The attack timeline indicates a dwell time of about 17 days in the victim's environment.

External References

https://blog.talosintelligence.com/emerging-interlock-ransomware/
https://otx.alienvault.com/pulse/672cedb98120e8429cf54427
Tags
rat
ransomware
azure
rdp
keylogger
double-extortion
rhysida
2024-11-07
credential-stealer
interlock

Date

  • Created: Nov. 7, 2024, 4:41 p.m.
  • Published: Nov. 7, 2024, 4:41 p.m.
  • Modified: Nov. 7, 2024, 9:07 p.m.

Indicators

  • 2mail.co
  • apple-online.shop
Download all indicators here!

Attack Patterns

  • Interlock
  • Rhysida
  • Interlock
  • T1021.002
  • T1003.001
  • T1021.001
  • T1070.001
  • T1053.005
  • T1490
  • T1059.001
  • T1547.001
  • T1056.001
  • T1555
  • T1070.004
  • T1489
  • T1486
  • T1082
  • T1570

Additional Informations

  • Technology
  • Healthcare
  • Government
  • Manufacturing
  • Virgin Islands, U.S.