www.fortinet.com
Open in
urlscan Pro
2a05:d014:f3c:6c01:8589:ad97:29df:f3e
Public Scan
URL:
https://www.fortinet.com/blog/threat-research/ransomware-roundup-interlock
Submission: On January 02 via api from DE — Scanned from DE
Submission: On January 02 via api from DE — Scanned from DE
Form analysis 1 forms found in the DOM
GET /blog/search
<form class="b3-searchbox__form" action="/blog/search" method="get">
<input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs">
<button class="b3-searchbox__icon" aria-label="Search" type="submit">
<svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg">
<path
d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"
fill="#fff">
</path>
</svg>
</button>
</form>Text Content
Blog * Categories * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Life at Fortinet * Partners * Customer Stories * PSIRT Blogs * Business & Technology * FortiGuard Labs Threat Research * Industry Trends * Life at Fortinet * Partners * Customer Stories * PSIRT Blogs * CISO Collective * Subscribe FortiGuard Labs Threat Research RANSOMWARE ROUNDUP - INTERLOCK By Shunichi Imano and Fred Gutierrez | November 29, 2024 * Article Contents * Interlock Ransomware Overview Infection VectorAttack MethodVictimologyData Leak Site * Fortinet Protections * IOCs * FortiGuard Labs Guidance Best Practices Include Not Paying a Ransom * How Fortinet Can Help By Shunichi Imano and Fred Gutierrez | November 29, 2024 FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the Interlock ransomware. Affected platforms: Microsoft Windows, FreeBSD Impacted parties: Microsoft Windows and FreeBSD users Impact: Encrypts victims' files and demands ransom for file decryption Severity level: High INTERLOCK RANSOMWARE OVERVIEW Interlock is a new ransomware variant that was first submitted to a publicly available file-scanning site in early October 2024. This could indicate that the ransomware emerged as early as September or even earlier. The Interlock ransomware comes in Windows and FreeBSD versions. It encrypts files on victims' machines and demands a ransom to decrypt them via dropped ransom notes. Figure 1: Login screen of the Interlock ransomware’s negotiation site Figure 2: Interlock ransomware’s ransom negotiation page INFECTION VECTOR While the initial infection vector of the Interlock ransomware has not been identified, researcher Sina Kheirkhah (@SinSinology) reported that a previously unknown backdoor was found on a victim’s machine. It is possible that the ransomware was deployed through this backdoor. ATTACK METHOD WINDOWS VERSION OF INTERLOCK RANSOMWARE The Windows version of the ransomware claims to support the following versions of Windows: * Windows Vista * Windows 7 * Windows 8 * Windows 8.1 * Windows 10 The Interlock ransomware takes the following parameters on execution: * -d, --directory * -f, --file * -del, --delete * -s, --system Once executed, the Interlock ransomware encrypts files on victims’ machines and drops a ransom note labeled “!__README__!.txt”. Figure 3: The Interlock ransomware’s ransom note Files encrypted by the Interlock ransomware will have a “.interlock” file extension. Figure 4: Files encrypted by the Interlock ransomware The ransomware is designed to exclude the following files and filetypes from file encryption: .bat .bin .cab .cmd .com .cur .diagcab .diagcfg .diagpkg .drv .hlp .hta .ico .msi .ocx .psm1 .scr .sys .ini Thumbs.db .url .dll .exe .ps1 It also excludes the following folders from file encryption: $Recycle.Bin Boot Documents and Settings PerfLogs ProgramData Recovery System Volume Information Windows It also creates a scheduled task named "TaskSystem": schtasks /create /sc DAILY /tn "TaskSystem" /tr "cmd /C cd %s && %s" /st 20:00 /ru system > nul The above script creates a new scheduled task, TaskSystem, that runs every day at 20:00 using the System account. FREEBSD VERSION OF THE INTERLOCK RANSOMWARE The FreeBSD version of the ransomware takes parameters on execution: * -d, --directory * -f, --file * -del, --delete * -s, --system Once the ransomware is executed, it encrypts files on victims' machines using the AES-CBC encryption algorithm and adds an ".interlock" extension to the encrypted files. The ransomware then leaves a text file containing the same ransom note as the Windows version. The FreeBSD version of the Interlock ransomware skips files with an “.interlock” extension from file encryption. It also excludes the following directories from file encryption: /bin /boot /cdrom /dev /etc /home /lib /lib32 /lib64 /libx32 /lost+found /media /mnt /opt /proc /run /root /sbin /snap /srv /sys /tmp /usr /var It also avoids encrypting the following file: * boot.cfg VICTIMOLOGY At the time of our investigation, the Interlock ransomware data leak site listed six victims. Five of those were in the United States, and the other was in Italy. However, submission data to the publicly available scanning service potentially shows even broader victim locations. Interlock ransomware samples have been submitted from India, Italy, Japan, Germany, Peru, South Korea, Turkey, and the United States. The victims are in the education, finance, government, healthcare, and manufacturing sectors, indicating that the Interlock ransomware does not have a policy to avoid targeting essential businesses and organizations, as some other ransomware groups have. Figure 5: A list of the Interlock ransomware victims on the data leak site Each victim has its own page describing the victim’s organization and lists stolen and leaked files. Figure 6: A victim’s page on the Interlock ransomware’s TOR site DATA LEAK SITE The Interlock ransomware runs its data leak site on TOR, which is divided into the following four sections: * Home * About – contains an FAQ * DATA LEAK – includes a list of victims * Help – includes contact information Figure 7: Top page of the Interlock ransomware’s TOR site Figure 8: “About Us” on the Interlock ransomware’s TOR site Figure 9: “Help” page on the Interlock ransomware’s TOR site FORTINET PROTECTIONS The Interlock ransomware described in this report is detected and blocked by FortiGuard Antivirus as: * W32/Kryptik.HXUY!tr.ransom * Linux/Filecoder_InterLock.A!tr * W64/GenKryptik.HCFC!tr * W64/Filecoder_Rhysida.D!tr * W32/PossibleThreat FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is part of each solution, so customers with these products have up-to-date protection. IOCS Interlock Ransomware File IOCs SHA2 Note a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642 Interlock ransomware (Windows version) 28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f Interlock ransomware (FreeBSD version) e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1 f00a7652ad70ddb6871eeef5ece097e2cf68f3d9a6b7acfbffd33f82558ab50e IOCs of the backdoor malware reported by Sina Kheirkhah (@SinSinology) SHA2 Note e9ff4d40aeec2ff9d2886c7e7aea7634d8997a14ca3740645fd3101808cc187b Backdoor malware allegedly found on the Interock ransomware victim’s machine 7d750012afc9f680615fe3a23505f13ab738beef50cd92ebc864755af0775193 6933141fbdcdcaa9e92d6586dd549ac1cb21583ba9a27aa23cf133ecfdf36ddf FORTIGUARD LABS GUIDANCE It is vital to keep all AV and IPS signatures up to date due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and unwanted destruction or release of personally identifiable information (PII). Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats: The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance against phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks. Our FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today's threat landscape and will introduce basic cybersecurity concepts and technology. Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack. As part of the industry's leading fully integrated Security Fabric, Fortinet delivers native synergy and automation across your security ecosystem. It also provides an extensive portfolio of technology- and human-based as-a-service offerings powered by our global FortiGuard team of seasoned cybersecurity experts. FortiRecon is a SaaS-based Digital Risk Prevention Service backed by cybersecurity experts. It provides unrivaled threat intelligence on the latest threat actor activity across the dark web, enabling a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress, allowing customers to respond rapidly to and shut down active threats. BEST PRACTICES INCLUDE NOT PAYING A RANSOM Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3). HOW FORTINET CAN HELP FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises). Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation. Tags: Ransomware Roundup RELATED POSTS FortiGuard Labs Threat Research RANSOMWARE ROUNDUP – RA WORLD FortiGuard Labs Threat Research RANSOMWARE ROUNDUP - KAGENOHITOBITO AND DONEX FortiGuard Labs Threat Research RANSOMWARE ROUNDUP: LOCKBIT, BLUESKY, AND MORE * * * * * * NEWS & ARTICLES * News Releases * News Articles SECURITY RESEARCH * Threat Research * FortiGuard Labs * Threat Map * Ransomware Prevention CONNECT WITH US * Fortinet Community * Partner Portal * Investor Relations * Product Certifications COMPANY * About Us * Exec Mgmt * Careers * Training * Events * Industry Awards * Social Responsibility * CyberGlossary * Sitemap * Blog Sitemap CONTACT US * (866) 868-3678 Copyright © 2024 Fortinet, Inc. All Rights Reserved Terms of Services Privacy Policy | Cookie Settings Also of Interest: * Leader in Gartner Magic Quadrant for SD-WAN * Life at Fortinet * FortiGuard Labs Threat Research COOKIE SETTINGS By clicking "Accept All", you are consenting to the use of cookies on your device to enhance site functionality, analyze site usage, and assist in our marketing efforts. This includes the use of cookies and similar technologies to show you personalized advertising on other websites through our partners. To accept only necessary cookies, select “Reject All.” You can visit the Cookie Settings link, which contains details on specific cookies, categories, and preference options. Your choice will apply only to your current browser/device. Please also see our Privacy Policy for more information on how we process personal data.privacy policy Reject All Accept All Cookie Settings COOKIE PREFERENCE CENTER * YOUR PRIVACY * STRICTLY NECESSARY COOKIES * PERFORMANCE COOKIES * FUNCTIONAL COOKIES * ADVERTISING COOKIES YOUR PRIVACY A website may store or retrieve certain information about your browser by using cookies. Cookies store information about how a visitor interacts with a website. The information may be about you, your preferences, your browser, or may be used just to make the website function. We allow certain advertising and analytics partners to collect information from our site through cookies and similar technologies to deliver ads which are more relevant to you, and assist us with advertising-related analytics (e.g., measuring ad performance, optimizing our ad campaigns). This may be considered "selling" or "sharing” / disclosure for targeted online advertising under certain laws. To opt out of these activities, move the toggles for "Performance" and "Advertising" to the left and press "Confirm My Choices." You can also click on the different category headings if you would like to read more about the cookies that we use, and adjust your preferences. Please note that your choice will apply only to your current browser/device. You can choose not to allow some types of cookies; however, please note that blocking some categories of cookies may impact your experience of the site. You can visit our Privacy Policy for more information. privacy policy STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the basic functionality of the website. The website would not work without these cookies, so they cannot be switched off in our systems. You can set your browser to block or alert you about these cookies, but some parts of the site will not work. PERFORMANCE COOKIES Performance Cookies These cookies help us collect certain data, such as count visits and traffic sources, so that we can measure the performance of our site, improve the content, and build better features that enhance your experience. They help us to know which pages are the most and least popular and see how visitors move around the site. They also allow us to measure the effectiveness of our ads on other sites. FUNCTIONAL COOKIES Functional Cookies These cookies allow our website to remember your preferences and choices made on the website, such as region and language, which help us provide enhanced functionality and personalization. These cookies may be set by us or by third party providers whose services we have added to our pages. If you disable these cookies, then some or all of these features may not function properly. ADVERTISING COOKIES Advertising Cookies These cookies may be set through our website by our advertising partners, and use information uniquely identifying your browser and internet device to build a profile of your interests and show you relevant ads on other websites. If you disable these cookies, you will experience less targeted advertising. Back Button COOKIE LIST Filter Button Consent Leg.Interest checkbox label label checkbox label label checkbox label label Clear checkbox label label Apply Cancel Confirm My Choices Allow All