New Ransomware 'Interlock' Targets FreeBSD Servers Worldwide
/ 4 min read
Quick take - The newly emerged ransomware operation ‘Interlock’ has been targeting organizations globally, particularly those using FreeBSD servers, and employs a double-extortion strategy by threatening to publish stolen data if ransom demands are not met.
Fast Facts
- Interlock is a new ransomware operation targeting FreeBSD servers globally, emerging in late September 2024 and quickly gaining notoriety for its attacks on organizations, including Wayne County, Michigan.
- The operation has claimed responsibility for cyberattacks on at least six organizations and resorts to data publication on its leak site if ransom demands are unmet.
- Interlock utilizes a unique FreeBSD ELF encryptor, with previous ransomware operations like Hive being the only known developers of FreeBSD encryptors before it was dismantled by the FBI in 2023.
- The ransomware employs a double-extortion scheme, threatening to publish stolen data if ransom demands, which can range from hundreds of thousands to millions of dollars, are not met.
- Each victim receives a unique “Company ID” for registration on Interlock’s Tor negotiation platform, which includes a chat system for direct communication with the threat actors.
New Ransomware Operation ‘Interlock’ Targets FreeBSD Servers Globally
Interlock, a new ransomware operation, has emerged as a significant threat since its inception in late September 2024. The operation has quickly gained notoriety for its targeted attacks on organizations worldwide, primarily focusing on those utilizing FreeBSD servers. Since its emergence, Interlock has claimed responsibility for cyberattacks on at least six organizations. When ransom demands are unmet, Interlock resorts to data publication on its leak site.
Notable Victims and Insights
One of the notable victims of Interlock is Wayne County, Michigan, which suffered a cyberattack in early October 2024. Initial insights into Interlock were provided by incident responder Simo, who identified a novel backdoor associated with the operation. Further investigation was conducted by cybersecurity researcher MalwareHuntTeam, who discovered a Linux ELF encryptor linked to Interlock. Attempts by BleepingComputer to test this encryptor on a virtual machine were unsuccessful, as the system crashed during the testing process. Analysis confirmed that the encryptor was specifically compiled for FreeBSD, with the Linux “File” command indicating compilation on FreeBSD 10.4.
Unusual Focus on FreeBSD
Efforts to execute the FreeBSD sample in a virtual environment were also thwarted. Ransomware typically targets Linux encryptors for VMware ESXi servers, making Interlock’s focus on FreeBSD unusual. The only previous ransomware operation known to have developed FreeBSD encryptors was Hive, which was dismantled by the FBI in 2023. Researchers from Trend Micro reported the discovery of an additional sample of the FreeBSD ELF encryptor, along with a Windows version associated with Interlock. They posited that the development of the FreeBSD encryptor may be linked to its common use in critical infrastructure, where successful attacks can cause significant disruptions.
Ransomware Functionality and Methodology
The Windows variant of the Interlock ransomware was successfully tested by BleepingComputer, revealing its functionality to clear Windows event logs and self-delete via a DLL and rundll32.exe. Encrypted files generated by Interlock are marked with the .interlock extension, and a ransom note titled !README!.txt is created in each folder. This note informs victims of the encryption and outlines threats, providing access links to the Tor negotiation and data leak sites. Each victim is assigned a unique “Company ID” for registration on Interlock’s Tor negotiation platform, which includes a chat system for direct communication with the threat actors.
Interlock’s operational methodology involves breaching corporate networks, exfiltrating data, and laterally spreading to other devices before deploying ransomware. The stolen data is utilized in a double-extortion scheme, where threat actors threaten to publish the data publicly if their ransom demands are not met. Ransom requests from Interlock reportedly range from hundreds of thousands to millions of dollars, depending on the size and profile of the targeted organization.
Original Source: Read the Full Article Here
