CISA and FBI Warn of Interlock Ransomware Threat

Growing Threat of Interlock Ransomware: A Crucial Advisory

The FBI, along with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), has recently issued a critical alert about Interlock ransomware, highlighting the increasing risks associated with this malicious software. Emerging in late September 2024, Interlock has swiftly garnered attention from cybersecurity experts as it has been linked to multiple attacks on various sectors.

Current Victim Count and Trends

While the advisory doesn’t specify the total number of victims affected, researchers from Cyble have identified at least 50 organizations that have been compromised by Interlock. Notably, in June alone, the group reportedly attacked 13 victims, which marks a significant surge, nearly doubling its previous monthly record. This spike underscores the urgent need for awareness and vigilance, as outlined by the federal advisory.

Targeted Sectors and Operating Systems

Interlock ransomware has predominantly focused on businesses and critical infrastructure within North America and Europe. The FBI and CISA indicate that the attackers are motivated by financial gain, specifically targeting vulnerabilities in various systems. Interestingly, Interlock’s encryptors are capable of affecting both Windows and Linux operating systems, with a particular emphasis on virtual machines (VMs). The use of compromised legitimate websites for drive-by downloads is a notable method of initial access that has not been commonly reported among other ransomware groups.

Potential Expansion of Targets

While current attacks have largely focused on VMs, there is growing concern that the Interlock group may broaden its scope to include hosts, workstations, and physical servers. To mitigate this evolving threat, the advisory advocates for the implementation of robust endpoint detection and response (EDR) tools.

Understanding Interlock’s Tactics and Techniques

The tactics employed by the Interlock ransomware actors are both sophisticated and varied. One prominent method of gaining initial access involves tricking victims into downloading fake updates for browsers like Google Chrome and Microsoft Edge. More recently, these attempts have shifted towards creating executable files that masquerade as updates for widely used security software.

Once installed, these malicious executables can function as remote access trojans (RATs), utilizing PowerShell scripts to establish persistence within the system. The spyware can then execute commands to gather vital information from infected machines, utilizing tools like Cobalt Strike and SystemBC for command and control.

Credential Harvesting and Lateral Movement

In their operations, Interlock actors are known to download various credential-stealing tools and keyloggers. This capability allows them to move laterally within networks, exploiting compromised credentials. They often employ Remote Desktop Protocol (RDP) for navigation between systems and have even been documented using remote connectivity tools such as AnyDesk, as well as PuTTY for lateral movements. Compromising domain administrator accounts through techniques like Kerberoasting has become a concerning trend among these attackers.

Best Practices for Defending Against Interlock Ransomware

To combat the risk posed by Interlock ransomware, the advisory outlines several key cybersecurity strategies that organizations should adopt:

• DNS Filtering: Implement DNS filtering to restrict access to harmful sites and applications.
• Web Access Firewalls: Employ firewalls that prevent unauthorized command injections from suspicious domains.
• Data Backup: Ensure multiple copies of critical data are securely stored in physically separate locations.
• Multi-Factor Authentication: Adhere to NIST password guidelines and enforce multi-factor authentication for added security.
• Software Updates: Regularly update operating systems and software, focusing on known vulnerabilities in internet-facing systems.
• Network Segmentation: Divide networks to minimize lateral movement and potential ransomware spread.
• Active Monitoring: Use network monitoring tools and EDR systems to catch suspicious activity.
• Account Review: Routinely check for new or unfamiliar accounts across critical systems and apply least privilege principles.
• Port Management: Disable unused ports and hyperlinks found in emails to reduce risk.
• Command Line Restrictions: Limit command line and scripting abilities to deter potential threats.
• Offline Backups: Keep offline, encrypted backups of data, ensuring they encompass the full spectrum of the organization’s data needs.

With the threat of Interlock ransomware rising, a proactive approach to cybersecurity is essential for organizations seeking to protect their assets and information.