Meet Interlock — The new ransomware targeting FreeBSD servers

Meet Interlock — The new ransomware targeting FreeBSD servers

November 3, 2024 at 04:16PM

Interlock is a new ransomware operation targeting FreeBSD servers, launched in September 2024. It has attacked six organizations, with data leaks occurring after ransom demands were ignored. The Windows encryptor operates effectively, while challenges persist with the FreeBSD version. Ransom demands range from hundreds of thousands to millions.

**Meeting Takeaways: Interlock Ransomware Overview**

**1. Introduction to Interlock:**
– Interlock, a new ransomware operation, emerged in late September 2024.
– Targets organizations globally, using a unique focus on FreeBSD servers for its encryptor.

**2. Recent Attacks:**
– Claims of attacks on six organizations reported.
– Notable victim: Wayne County, Michigan, fell victim to a cyberattack in early October 2024.
– Data from victims is published on a data leak site if the ransom is not paid.

**3. Technical Findings:**
– Backdoor identified by incident responder Simo; early indicators emerged in October.
– Cybersecurity researcher MalwareHuntTeam uncovered a Linux ELF encryptor for Interlock.
– BleepingComputer attempted to test the FreeBSD encryptor but encountered execution issues.
– Interlock’s FreeBSD encryptor is notably rare compared to typical Linux encryptors, with previous similar instances linked to the defunct Hive operation.

**4. Characteristics of the Ransomware:**
– Trend Micro reported the discovery of additional samples, emphasizing the FreeBSD encryptor’s targeting of critical infrastructure.
– The Windows version of the encryptor functions effectively, manipulating event logs and employing self-deletion features.
– Files encrypted by Interlock receive a .interlock extension, along with a ransom note named !__README__!.txt.

**5. Ransom Demand and Negotiation:**
– Ransom demands range significantly, from hundreds of thousands to millions, based on victim organization size.
– Unique “Company ID” assigned to victims for negotiation via a Tor site, which features a chat system for communication with threat actors.

**6. Attack Methodology:**
– Interlock infiltrates corporate networks to steal data and subsequently spreads to other devices.
– After data theft, ransomware is deployed to encrypt files across the network, employing a double-extortion tactic by threatening public data exposure in case of non-payment.

**Action Items:**
– Continue monitoring reports and developments related to Interlock and its victims.
– Assess organizational preparedness against ransomware operations targeting FreeBSD and critical infrastructure.
– Consider enhancements to incident response protocols and cybersecurity defenses in light of recent attacks.

Full Article