Ransomware Attack Reported by Cisco Talos Incident Response
/ 4 min read
Quick take - On November 7, 2024, Cisco Talos Incident Response reported a significant ransomware attack by the Interlock group, which utilized advanced tactics including big-game hunting, double extortion, and various tools for initial access and lateral movement, ultimately leading to data encryption and exfiltration from targeted organizations across multiple sectors.
Fast Facts
- On November 7, 2024, Cisco Talos Incident Response reported a significant ransomware attack by the Interlock group, utilizing big-game hunting and double extortion tactics.
- The attack involved multiple components, including a Remote Access Tool (RAT) disguised as a fake browser updater, PowerShell scripts, a credential stealer, and a keylogger, primarily exploiting Remote Desktop Protocol (RDP) for lateral movement.
- Initial access was gained through a malicious Google Chrome updater from a compromised news site, leading to a 17-day foothold before deploying the ransomware encryptor “conhost.exe.”
- The attack included data exfiltration using Azure Storage Explorer, and the ransom note warned victims against recovery attempts while demanding contact within 96 hours.
- Interlock ransomware, first identified in September 2024, has targeted various sectors and is believed to share similarities with Rhysida ransomware, with both Windows and Linux variants employing different encryption techniques.
Significant Ransomware Attack Reported by Cisco Talos
On November 7, 2024, Cisco Talos Incident Response (Talos IR) reported a significant ransomware attack involving the Interlock ransomware group. The attack was characterized by big-game hunting and double extortion tactics, utilizing multiple components in the delivery chain.
Attack Delivery and Execution
The attack employed a Remote Access Tool (RAT) disguised as a fake browser updater, alongside PowerShell scripts, a credential stealer, and a keylogger. The attacker primarily exploited Remote Desktop Protocol (RDP) for lateral movement within the victim’s network, supplementing this movement with tools such as AnyDesk and PuTTY.
Initial access to victim machines was gained through a malicious Google Chrome browser updater executable downloaded from a compromised news website. Upon execution, the RAT initiated an embedded PowerShell script that established persistence and collected system information. The attacker maintained a foothold in the victim’s environment for approximately 17 days before deploying the ransomware encryptor binary, named “conhost.exe,” which encrypted targeted files and appended the ”.Interlock” extension.
Data Exfiltration and Tactics
Data exfiltration was executed using Azure Storage Explorer and AZCopy, facilitating the transfer of sensitive information to an attacker-controlled Azure storage blob. A credential stealer compiled in Golang was employed to harvest sensitive browser data, while a keylogger captured keystrokes, storing them locally on the victim’s machine. Reconnaissance efforts utilized PowerShell commands indicative of pre-kerberoasting techniques aimed at obtaining domain admin credentials.
In some compromised servers, the attacker disabled Endpoint Detection and Response (EDR) systems, likely using an EDR uninstaller tool or by exploiting a vulnerable device driver. Lateral movement was primarily achieved through RDP and compromised credentials, with AnyDesk and PuTTY used for additional remote connectivity.
Ransom Note and Group Background
The Interlock ransomware attack included sophisticated operational tactics, establishing persistence through a scheduled task that runs daily on the victim’s machine. The ability to delete the executable post-encryption was used to obscure evidence of the attack. The ransom note, titled ”!README!.txt,” was dropped in folders containing encrypted files, warning victims against recovery attempts and demanding contact within 96 hours. The note included a unique company ID for victims to communicate with the operators.
Interlock ransomware first emerged in September 2024, targeting various sectors, including healthcare, technology, and government in the U.S., as well as manufacturing in Europe. The group operates a data leak site called “Worldwide Secrets Blog,” providing links to leaked data and communication support for victims. They claim to exploit unaddressed vulnerabilities in organizations, aiming to hold companies accountable for poor cybersecurity practices while seeking monetary gain.
Talos assessed with low confidence that Interlock ransomware may have emerged from Rhysida ransomware operators or developers, highlighting similarities in tactics, techniques, and procedures (TTPs). Both Windows and Linux variants of the ransomware exist, with the Windows variant employing Cipher Block Chaining (CBC) for encryption, while the Linux variant has the potential to use either CBC or RSA encryption techniques.
Cisco offers a range of security solutions to help prevent and detect such ransomware attacks, including Cisco Secure Endpoint, Secure Web Appliance, Secure Email, and Secure Firewall. Indicators of Compromise (IOCs) related to the Interlock ransomware are available in Talos’s GitHub repository, providing further assistance for organizations to defend against these threats.
Original Source: Read the Full Article Here
