From Fake Updates to Data Exfiltration: Inside Interlock Ransomware’s Operations

Interlock ransomware attack
Image: Cisco Talos

Cisco Talos Incident Response (Talos IR) has recently unveiled a concerning new threat in the cybersecurity landscape: Interlock ransomware. This attack, which Talos categorizes as “big-game hunting,” leverages both sophisticated tools and techniques to carry out double extortion attacks. According to the report, the threat actor behind Interlock utilizes a blend of credential theft, keylogging, and lateral movement tactics across compromised networks, posing a heightened risk to organizations across industries.

Talos IR’s investigation reveals the elaborate setup of Interlock’s attack chain. The initial compromise begins when victims unknowingly download a Remote Access Tool (RAT) disguised as a legitimate browser update. As Talos details, “The attacker gained access to the victim machine via a fake Google Chrome browser updater executable,” which deployed multiple malicious components, including PowerShell scripts, credential-stealing malware, and keylogging capabilities. This RAT then initiates the ransomware encryptor binary deployment, transforming a seemingly harmless update into a critical security breach.

The timeline of the attacker’s operations demonstrates both patience and strategic timing, with Talos estimating a 17-day dwell time from initial compromise to the deployment of ransomware. Such extended periods within victim environments increase the attacker’s ability to exfiltrate data and disrupt systems efficiently.

Once inside the victim’s network, Interlock’s operators demonstrate a deep understanding of lateral movement. Primarily using Remote Desktop Protocol (RDP) and tools like AnyDesk and PuTTY, the attacker manages to move between systems with ease. As Talos observes, “The attacker primarily used RDP to move laterally within the victim’s network, as well as other tools such as AnyDesk and PuTTY.” This maneuvering facilitates access to critical resources and valuable data, often stored on segmented parts of the network.

Data exfiltration is another critical phase in Interlock’s methodology. The report indicates that the attacker relied on Azure Storage Explorer, utilizing AZCopy to siphon data into an attacker-controlled Azure storage blob. Talos IR points out, “The attacker executed storage-explorer and AzCopy to upload the data to the Azure storage blob,” leveraging a tactic reminiscent of previous ransomware threats such as Rhysida. The ransomware operators then use the stolen data as leverage, threatening to release it publicly if the ransom demands are not met, a technique that combines the traditional financial motivations of ransomware with data privacy threats.

In analyzing Interlock, Talos has noted distinct similarities between its operations and the Rhysida ransomware family. The resemblance, found in both code and behavioral tactics, hints at a potential affiliation between the two groups. “Talos assesses with low confidence that Interlock ransomware is likely a new diversified group that emerged from Rhysida ransomware operators or developers,” the report states, highlighting shared tactics such as the use of AZCopy and similarities in the exclusion list within the encryptor binary.

True to its double extortion approach, Interlock not only encrypts files but also demands ransom through an interactive interface, where victims are warned not to tamper with the infected system. The ransom note, which threatens to publish the victim’s data on a leak site called “Worldwide Secrets Blog,” is meant to induce both financial and reputational damage to encourage payment. Talos IR found that Interlock provides chat support and even an email contact at “interlock@2mail[.]co,” creating a structured and intimidating negotiation process for its victims.

Related Posts: