A new ransomware actor known as INTERLOCK has recently entered the cyber threat arena, launching attacks on organizations across the world with a unique encryptor specifically designed for FreeBSD servers. FreeBSD servers refer to systems that run FreeBSD, an open-source Unix-like operating system derived from the Berkeley Software Distribution (BSD).  

This ransomware utilizes a double-extortion strategy, mirroring the approach taken by Akira and LockBit, where victims are pressured not only through data encryption but also by the threat of data theft.  

INTERLOCK initiates command-and-control (C2) activities through a scheduled task across an anonymized network, contributing to its stealth and sophistication.

Modus Operandi

Overview of the Interlock ransom operations:

Interlock ransomware employs common system processes to execute its malicious activities, particularly utilizing rundll32.exe to load DLL files and carry out commands. Here are some notable examples of how this is done:

Loading Malicious DLLs:

• rundll32.exe C:\Users\Admin\AppData\Local\Temp\7ffbfc130000.conhost2.dll
• rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll

This method is a hallmark of Interlock’s approach, as signatures indicate that processes like rundll32.exe have been implicated in unauthorized network requests. Such activities, particularly when linked to command-and-control (C2) servers, serve as critical indicators of compromise (IoCs).

Communication with Command-and-Control Servers

The ransomware establishes communication with its command-and-control server, notably using the IP address 150[.]171[.]27[.]10 over HTTPS (TLS-encrypted). This encrypted communication poses challenges for conventional network monitoring tools, effectively obscuring the ransomware’s operations and activities.

Attack Mechanism

During an attack, Interlock infiltrates corporate networks, exfiltrating sensitive data from servers and spreading laterally to connected devices. Following the data breach, the ransomware is activated to encrypt files across the network.

Key Features of the Attack

Event Log Manipulation: The Windows encryptor is programmed to erase Windows event logs to eliminate traces of the attack.

Self-Deletion: If enabled, the ransomware can use a DLL via rundll32.exe to delete its main binary after executing its primary functions.

File Encryption: Encrypted files receive the .interlock extension, and a ransom note titled !__README__!.txt is created in every directory, detailing the victim's situation and outlining demands.

Ransom Note and Negotiation Process

The ransom note warns victims against taking certain actions, such as modifying files or using recovery tools, as these could lead to irreversible data loss.

Key Points from the Ransom Note:

Unique Identification: Each victim is assigned a "Company ID," essential for registration on the threat actor's TOR negotiation platform.

Threats and Consequences: The note specifies that if demands are not met within 96 hours, the stolen data will be leaked to competitors, regulators, and the public, potentially causing severe financial and reputational harm.

Communication Channel: The negotiation site includes a chat system that allows direct communication between victims and the threat actors, mimicking many modern ransomware operations.

MITRE ATT&CK TACTICS AND TECHNIQUES

Detecting Interlock Ransomware

One effective method to detect Interlock ransomware involves using YARA rules, which can pinpoint specific Executable and Linkable Format (ELF) binaries by analyzing their internal structure. The YARA rule crafted for identifying Interlock’s ELF binary leverages a combination of distinctive string patterns and specific file size criteria.  

Key Characteristics of the YARA Rule:

In the fight against Interlock ransomware, a well-crafted YARA rule plays a pivotal role. One of its most notable features is its emphasis on specific string patterns. By targeting terms such as cipher_descriptor, __vdso_clock_gettime, and sysctlbyname, the rule can effectively identify key functions related to cryptography and system management, commonly exploited by malware.

Moreover, the rule imposes specific file size constraints, requiring binaries to fall within the 710KB to 868KB range. This characteristic aligns with the typical profile of Interlock's ELF binary, significantly minimizing the occurrence of false positives.

Finally, the rule’s activation conditions further enhance its precision. It only triggers when all specified strings are detected within a file, ensuring accurate identification based on the malware's internal structure. This method presents a distinct advantage over conventional detection techniques that may rely on easily altered data such as IP addresses or file hashes. Through this strategic approach, the YARA rule bolsters defenses against the evolving threat of Interlock ransomware.

Safeguarding against Interlock ransomware

To effectively combat ransomware threats, organizations must prioritize regular system updates, particularly for those operating in virtual environments. Keeping systems up to date is essential for addressing known vulnerabilities that could be exploited by attackers.

In addition to system maintenance, implementing multifactor authentication (MFA) and robust access controls is critical for securing access to vital systems. This strategy significantly minimizes the risk of unauthorized access.

Another important aspect of ransomware defense is establishing a consistent backup routine. Ensuring that backups are stored offline helps protect them from being encrypted or deleted by malicious actors during an attack.

Finally, organizations should deploy Endpoint Detection and Response (EDR) solutions to continuously monitor their environments for any suspicious activities. By being vigilant about unusual process executions and abnormal network traffic patterns, companies can detect potential threats early and respond effectively.

Indicators of Compromise (IoC’s)

Conclusion

Interlock ransomware’s emergence underscores the vital need for robust cybersecurity defenses. By specifically targeting virtual environments in fields such as healthcare, it has proven to be a significant threat. The combination of its advanced tactics and the principle of "accountability through exploitation" intensifies the risks for organizations globally. This reality stresses the necessity for organizations to adopt proactive cybersecurity strategies and remain alert to counter such sophisticated threats effectively.  ‍

References Cited:

1. https://www.bleepingcomputer.com/news/security/meet-interlock-the-new-ransomware-targeting-freebsd-servers/  

2. https://www.broadcom.com/support/security-center/protection-bulletin/interlock-ransomware

3. https://www.moxfive.com/resources/moxfive-threat-actor-spotlight-interlock-ransomware

4. https://foresiet.com/blog/protect-your-business-from-interlock-ransomware-prevention-and-detection-tips

5. https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/interlock

6. https://www.rewterz.com/threat-advisory/freebsd-servers-targeted-by-new-interlock-ransomware-active-iocs  

‍