Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
InterLock is a double extortion ransomware operation active since October 2024 that steals data, operates a Tor-based leak site, and encrypts files across FreeBSD/ESXi and Windows environments. The intrusion chain uses ScreenConnect MSI installers for initial access, a multi-language NodeSnake backdoor for persistence, an NTLM credential harvester, and a custom crypter framework that packages the ransomware payloads. Command-and-control traffic relies on WebSocket communication protected with RC4, supported by fallback static IPs and additional Cloudflare Tunnel endpoints. The ransomware appends the .interlock extension, drops a ransom note containing an .onion negotiation URL, and uses weak PRNG-derived keys that may allow recovery.
Investigation
The report analyzes 15 samples, including four ScreenConnect MSI installers, three NodeSnake implants (JavaScript, Java, and native C++), one NTLM thief DLL, and four ransomware executables. All artifacts share three hard-coded C2 IP addresses and the same crypter decryption loop marked by the byte pattern 488b041f483345f04889041e. In its native form, NodeSnake adds TCP tunneling, thread hijacking, and anti-debugging. The Windows ransomware variant creates a daily scheduled task and clears Windows event logs through wevtapi.dll. The infrastructure also includes two Let’s Encrypt-protected domains and multiple free Cloudflare Tunnel subdomains.
Mitigation
Defenders should block the known C2 IPs and Cloudflare Tunnel domains at the perimeter. If ConnectWise ScreenConnect is not needed, it should be removed or disabled. Security controls should detect the crypter’s byte pattern and the RC4-encrypted WebSocket handshake prefix 92 01 88 fe. Monitoring should also cover the scheduled task named TaskSystem and any creation of files with the .interlock extension. Least-privilege access controls can further reduce exposure to NTLM credential harvesting and abuse of rundll32.
Response
If InterLock is detected, isolate the affected host, preserve the full binary for forensic analysis, and extract the embedded RSA-4096 public key along with the encrypted per-file keys. Where possible, attempt key recovery using the weak rand() plus clock() PRNG if reliable timestamps are available. Remove the TaskSystem persistence task, delete the .interlock artifacts, and restore impacted data from backups. Affected users should be notified, and the double-extortion incident should be reported to law enforcement.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#cccccc classDef operator fill:#ff9900 %% Initial Access initial_access["<b>Action</b> – <b>T1204.004 User Execution</b>: Malicious MSI installer delivered"] class initial_access action msiexec_tool["<b>Tool</b> – <b>Name</b>: Msiexec<br/><b>Technique</b>: T1218.007 System Binary Proxy Execution"] class msiexec_tool tool screenconnect_client["<b>Malware</b> – <b>Name</b>: ScreenConnect client<br/><b>Purpose</b>: Remote access component"] class screenconnect_client malware nodesnake_backdoor["<b>Malware</b> – <b>Name</b>: NodeSnake backdoor<br/><b>Capabilities</b>: Interactive Windows shell and oneu2011shot commands"] class nodesnake_backdoor malware %% Persistence persistence_task["<b>Action</b> – <b>T1546 Event Triggered Execution</b>: Scheduled task created"] class persistence_task action scheduled_task["<b>Process</b> – <b>Name</b>: TaskSystem<br/><b>Schedule</b>: Daily at 20:00"] class scheduled_task process self_delete["<b>Action</b> – <b>T1070.009 Indicator Removal</b>: Selfu2011deletion after execution"] class self_delete action %% Credential Access credential_access["<b>Action</b> – <b>T1556.008 Modify Authentication Process</b>: NTLM hash harvesting"] class credential_access action ntlmthief_dll["<b>Tool</b> – <b>Name</b>: NtlmThief DLL<br/><b>Function</b>: Harvest NTLM hashes and force NTLMv1"] class ntlmthief_dll tool %% Defense Evasion defense_evasion["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b>: Payloads packed with custom crypter"] class defense_evasion action custom_crypter["<b>Tool</b> – <b>Name</b>: Custom Crypter<br/><b>Techniques</b>: XOR, junk code, compileu2011afteru2011delivery, compression, stripped binaries"] class custom_crypter tool %% Command and Control c2_communication["<b>Action</b> – <b>T1071.001 Application Layer Protocol</b>: WebSocket channel (RC4 encrypted)"] class c2_communication action websocket_impl["<b>Tool</b> – <b>Name</b>: WebSocket client<br/><b>Features</b>: Dynamic URLs via Cloudflare Tunnel"] class websocket_impl tool %% Proxy Services proxy_service["<b>Action</b> – <b>T1090 Proxy</b>: Internal and multiu2011hop proxying"] class proxy_service action cloudflare_tunnel["<b>Tool</b> – <b>Name</b>: Cloudflare Tunnel<br/><b>Purpose</b>: Dynamic resolution of C2 URLs"] class cloudflare_tunnel tool protocol_tunneling["<b>Action</b> – <b>T1572 Protocol Tunneling</b>: TCP tunnel relays"] class protocol_tunneling action %% Privilege Escalation / Defense Evasion priv_esc["<b>Action</b> – <b>T1055.003 Process Injection</b>: Thread Execution Hijacking"] class priv_esc action tls_injection["<b>Action</b> – <b>T1055.005 Process Injection</b>: Thread Local Storage injection"] class tls_injection action process_injection_tool["<b>Tool</b> – <b>Name</b>: Process Injection routine"] class process_injection_tool tool %% Discovery discovery["<b>Action</b> – <b>T1016 System Network Configuration Discovery</b>: Collect system and network info"] class discovery action %% Collection collection["<b>Action</b> – <b>T1560.001 Archive via Utility</b> and <b>T1560.003 Archive via Custom Method</b>: Package exfiltrated data"] class collection action %% Exfiltration exfiltration["<b>Action</b> – <b>T1020 Automated Exfiltration</b> and <b>T1048.002 Exfiltration Over Asymmetric Encrypted Nonu2011C2 Protocol</b>"] class exfiltration action %% Impact impact["<b>Action</b> – <b>T1486 Data Encrypted for Impact</b>: InterLock ransomware encrypts files"] class impact action ransomware["<b>Malware</b> – <b>Name</b>: InterLock ransomware<br/><b>Encryption</b>: AESu2011256u2011CBC and RSAu20114096 OAEP<br/><b>Extension</b>: .interlock"] class ransomware malware ransom_note["<b>Action</b> – <b>T1490 Inhibit System Recovery</b>: Clear event logs and drop ransom note"] class ransom_note action artifact_cleanup["<b>Action</b> – <b>T1070 Indicator Removal</b>: Delete artifacts and files"] class artifact_cleanup action %% Connections initial_access –>|uses| msiexec_tool msiexec_tool –>|installs| screenconnect_client screenconnect_client –>|drops| nodesnake_backdoor nodesnake_backdoor –>|creates| persistence_task persistence_task –>|creates| scheduled_task scheduled_task –>|executes| self_delete nodesnake_backdoor –>|enables| credential_access credential_access –>|uses| ntlmthief_dll nodesnake_backdoor –>|obfuscates| defense_evasion defense_evasion –>|employs| custom_crypter nodesnake_backdoor –>|communicates via| c2_communication c2_communication –>|uses| websocket_impl websocket_impl –>|routes through| cloudflare_tunnel cloudflare_tunnel –>|supports| proxy_service proxy_service –>|includes| protocol_tunneling nodesnake_backdoor –>|performs| priv_esc priv_esc –>|uses| process_injection_tool process_injection_tool –>|also performs| tls_injection nodesnake_backdoor –>|performs| discovery nodesnake_backdoor –>|packages data with| collection collection –>|exfiltrates via| exfiltration exfiltration –>|delivers payload to| impact impact –>|uses| ransomware ransomware –>|leaves| ransom_note ransom_note –>|triggers| artifact_cleanup %% Class assignments class msiexec_tool tool class screenconnect_client malware class nodesnake_backdoor malware class ntlmthief_dll tool class custom_crypter tool class websocket_impl tool class cloudflare_tunnel tool class process_injection_tool tool class ransomware malware "
Attack Flow
Detections
Suspicious Trycloudflare Domain Communication (via dns)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Possible Schtasks or AT Usage for Persistence (via cmdline)
View
Possible PING Usage for Delay Execution (via cmdline)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
Possible System Enumeration (via cmdline)
View
Possible Account or Group Enumeration / Manipulation (via cmdline)
View
IOCs (Emails) to detect: InterLock: full tooling teardown of a ransomware operation
View
IOCs (SourceIP) to detect: InterLock: full tooling teardown of a ransomware operation
View
IOCs (HashSha256) to detect: InterLock: full tooling teardown of a ransomware operation
View
IOCs (DestinationIP) to detect: InterLock: full tooling teardown of a ransomware operation
View
IOCs (HashMd5) to detect: InterLock: full tooling teardown of a ransomware operation
View
NodeSnake WebSocket Handshake and URL Pattern Detection [Windows Network Connection]
View
Detect InterLock ELF Variant Using sysconf for CPU Count [Linux Process Creation]
View
Detect NodeSnake JS Implant and InterLock DLL Execution Methods [Windows Process Creation]
View
Detection of InterLock Ransomware and NodeSnake Command Output Staging [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The adversary has compromised a low‑privileged workstation and is executing a NodeSnake JavaScript implant that performs two actions:- Privilege‑level enumeration – it runs
cmd.exe /c net1 sessionto list active network sessions, a known method to discover whether the process runs as SYSTEM or a regular user. - DLL‑based payload execution – it drops a malicious DLL (
evilpayload.dll) into%TEMP%and launches it viarundll32.exe %TEMP%evilpayload.dll,run %TEMP%evilpayload.dll. This mimics the InterLock technique of using rundll32 as a loader for a second‑stage payload.
Both commands are executed directly to produce the exact command‑line strings that the Sigma rule matches.
- Privilege‑level enumeration – it runs
-
Regression Test Script:
# ------------------------------------------------- # NodeSnake/InterLock Simulation – triggers Sigma rule # ------------------------------------------------- # 1. Create a dummy malicious DLL (binary not needed for detection) $dllPath = "$env:TEMPevilpayload.dll" Set-Content -Path $dllPath -Value "MZ" -Encoding ASCII # Minimal PE header placeholder # 2. Execute the privilege‑enumeration command (exact match) Write-Host "[*] Running privilege enumeration (cmd.exe /c net1 session)" cmd.exe /c net1 session # 3. Execute the rundll32 payload loader (exact match) Write-Host "[*] Launching malicious DLL via rundll32.exe" rundll32.exe "$dllPath,run $dllPath" # 4. Pause to allow SIEM ingestion Start-Sleep -Seconds 10 -
Cleanup Commands:
# ------------------------------------------------- # Cleanup for the simulation # ------------------------------------------------- $dllPath = "$env:TEMPevilpayload.dll" if (Test-Path $dllPath) { Remove-Item -Path $dllPath -Force Write-Host "[+] Removed $dllPath" } else { Write-Host "[-] No DLL found to remove." } # Optionally clear PowerShell history to reduce forensic footprint Clear-History