Unwrapping the emerging Interlock ransomware attack
Nov. 7, 2024, 9:07 p.m.
Tags
External References
Description
A new ransomware group called Interlock has emerged, targeting various sectors with big-game hunting and double extortion attacks. The group uses a sophisticated delivery chain including a RAT disguised as a browser updater, PowerShell scripts, credential stealers, and keyloggers. They primarily move laterally through RDP and exfiltrate data using Azure Storage Explorer. The Interlock ransomware encrypts files with the .Interlock extension and drops ransom notes. The attackers claim to exploit unaddressed vulnerabilities and justify their actions as holding companies accountable for poor cybersecurity. Analysis suggests possible links to the Rhysida ransomware group based on similarities in tactics and code. The attack timeline indicates a dwell time of about 17 days in the victim's environment.
Date
Published: Nov. 7, 2024, 4:41 p.m.
Created: Nov. 7, 2024, 4:41 p.m.
Modified: Nov. 7, 2024, 9:07 p.m.
Attack Patterns
Interlock
Rhysida
Interlock
T1021.002
T1003.001
T1021.001
T1070.001
T1053.005
T1490
T1059.001
T1547.001
T1056.001
T1555
T1070.004
T1489
T1486
T1082
T1570
Additional Informations
Technology
Healthcare
Government
Manufacturing
Virgin Islands, U.S.