Interlock: The New Kid on the Block (and It’s a Bad One)

• Virtual Machine Hijacking: Interlock targets VMware ESXi hypervisors, taking over virtual machines and encrypting their data. It's like a digital heist, but instead of robbing a bank, they're robbing your virtual servers.
• Data Extortion: Not only do they encrypt your data, but they also steal it. It's like a double whammy: pay the ransom or risk having your sensitive data leaked online.

• Use endpoint detection and response (EDR) solutions: These tools can help detect and respond to attacks.
• Patch your systems: Keep your software and firmware up-to-date.
  Implement strong access controls: Use multi-factor authentication and restrict access to critical systems.
• Back up your data: Regularly back up your data and store it offline.

Interlock is a relatively new ransomware operation first detected in late September 202412. The group behind Interlock has targeted organisations worldwide, with a particular focus on the healthcare sector.

Targeting and Attack Vectors

Interlock employs an unusual approach compared to other ransomware operations by specifically targeting FreeBSD servers, an operating system commonly used in critical infrastructure. This suggests that Interlock operators are seeking to disrupt vital services and potentially demand  higher ransoms due to the impact of their attacks.

Key attack vectors include:

• Exploiting vulnerabilities within virtual environments.
• Compromising VMware's ESXi hypervisors, which allows the attackers to gain control of virtual machines (VMs) without affecting physical servers and workstations.
• Encrypting virtual disk files (VMDKs) and changing root passwords on ESXi hosts, making data recovery extremely difficult.

Ransomware Execution and Impact

Interlock has developed both Windows and FreeBSD encryptors69. The Windows version clears Windows event logs and can delete itself using a DLL10.

During an attack, Interlock performs the following actions:

• Data exfiltration: Breaches the corporate network and steals data from servers before deploying the ransomware.
• Lateral movement: Spreads to other devices on the network.
• Encryption: Deploys the ransomware to encrypt all files on the network, appending the .interlock extension to encrypted filenames.
• Ransom note: Creates a ransom note named !!.txt in each folder, containing instructions for contacting the attackers and making payment.
• Double extortion: Uses stolen data as leverage, threatening to publicly leak it on their data leak site if the ransom is not paid.

Ransom demands range from hundreds of thousands to millions of dollars, depending on the victim organisation's size.

Command and Control

Interlock establishes command and control (C2) through a scheduled task over an anonymized network, using a reverse shell for communication78. This sophisticated approach helps the ransomware evade detection by traditional network monitoring tools.

Malware Analysis and Detection

Foresiet, a digital security firm, has analysed Interlock's processes and identified several components that facilitate its malicious activities:

• Processes: Leverages common system processes like rundll32.exe to load malicious DLLs from temporary directories.
• Signatures: Displays unusual network requests associated with processes like rundll32.exe, serving as an indicator of compromise (IoC).
• Network activity: Communicates with a C2 server over HTTPS (TLS-encrypted), concealing its traffic within legitimate web traffic.
• Detecting Interlock requires advanced signature-based methods. Foresiet recommends using YARA rules to identify specific ELF binaries based on their internal structure, string patterns, and file size.

MITRE ATT&CK Techniques

Interlock utilises various techniques mapped to the MITRE ATT&CK framework. Some notable examples include:

• Resource hijacking: Compromises virtual environments to control and disrupt crucial system resources.
• Impair defenses: Deletes local backups and modifies security settings to prevent recovery efforts.
• Signed binary proxy execution: Employs rundll32.exe to execute malicious DLLs and maintain persistence.
• Obfuscated files or information: Uses encryption and anonymized networks to hide its communications and actions.
• Application layer protocol: Communicates with C2 servers over HTTPS, concealing its traffic within legitimate web traffic.

Prevention and Mitigation

Organisations can take the following steps to protect themselves from Interlock ransomware:

• Patch management: Regularly update systems, particularly those running virtual environments, to address known vulnerabilities.
• Access controls and MFA: Enforce multifactor authentication (MFA) and robust access controls to prevent unauthorised access.
• Backup strategy: Ensure regular backups and store them offline to protect against encryption and deletion.
• Endpoint detection & response (EDR): Deploy EDR solutions to monitor for suspicious activities like unusual process execution or network traffic.

By implementing a multi-layered security approach, organisations can significantly reduce their risk of falling victim to Interlock and other sophisticated ransomware threats.