Interlock ransomware is an emerging cyber threat that first surfaced in September 2024, quickly gaining notoriety for its focus on virtual environments. By specifically targeting VMware’s ESXi hypervisors, the group effectively disrupts critical systems by encrypting virtual disk files (VMDKs) and modifying root passwords on ESXi hosts, leaving physical servers and workstations unaffected. These attacks are not random but rather highly targeted, particularly against organisations within the healthcare sector, where downtime can have life-altering consequences.
Attack Techniques and Key Tactics
Interlock's operations begin by exploiting vulnerabilities in virtual environments, allowing the group to gain initial access to systems. Once inside, they establish command-and-control (C2) via a scheduled task, communicating through a reverse shell over an anonymised network. During the attack, tools such as AnyDesk for remote access and WinSCP for data exfiltration are commonly used. The attackers delete local backups to hinder recovery and encrypt VMDK files, rendering systems inoperable.
Interlock’s execution method leverages proxy techniques like Rundll32 to execute malicious DLLs and maintain persistence. The malware also communicates with its C2 server using encrypted HTTPS traffic, making detection through standard monitoring tools difficult. This makes Interlock particularly dangerous for organisations that rely heavily on virtualised environments.
Sample of the Ransom Note
The ransom note left by Interlock ransomware is direct and intimidating, demanding payment in cryptocurrency in exchange for a decryption key. The note emphasises that all critical files have been encrypted and threatens to leak sensitive data if the ransom is not paid. Here’s an excerpt from a typical ransom note:
"All your important data has been encrypted. We have also exfiltrated sensitive files from your network. If you wish to restore access to your data, you must pay in Bitcoin to the provided address. Failure to comply will result in the public release of your confidential information."
The note often includes contact details via a Tor-based site for further negotiation, showcasing Interlock's familiarity with dark web protocols. The tone of the note is both threatening and urgent, aiming to coerce victims into swift compliance.
Interlock Dark Web Portal
.jpeg)
MITRE ATT&CK Techniques Employed
Interlock ransomware uses several techniques that align with the MITRE ATT&CK framework, including:
• T1496 (Resource Hijacking): Compromising virtual environments to control critical system resources, especially VMs.
• T1562.001 (Impair Defenses): Deleting local backups and altering security configurations to prevent recovery.
• T1218.011 (Signed Binary Proxy Execution): Utilising trusted processes like Rundll32 for executing malicious code.
Protecting Against Interlock
Given its sophisticated approach, defending against Interlock requires a multi-layered cyber security strategy. Best practices include regular patch management to close vulnerabilities in virtual environments, enforcing strong access controls, using multifactor authentication (MFA), and ensuring offline backups. Deploying Endpoint Detection and Response (EDR) tools can help identify unusual behaviour, such as the execution of malicious DLLs or suspicious network activity.
To Sum Up
Interlock ransomware poses a significant threat to industries relying on virtualised environments, particularly healthcare. Its combination of sophisticated techniques and aggressive ransom demands highlights the growing complexity of modern ransomware attacks. Organisations must remain vigilant, ensuring they implement comprehensive cyber security measures to protect against this and other emerging threats.
