Interlock Ransomware’s Targeted Attacks on Companies
Summary
About Interlock
– Appeared at the end of September 2024
– Ransomware attacks targeting companies in various countries and industries worldwide
– Recently, there have also been ransomware attacks in various industries such as healthcare, education, and public institutions (e.g., DaVita, Andretti Indoor Karting & Games)
– Uses unclear statistics on DLS to pressure victims
About the Ransomware
– Does not have the basic features of ransomware, such as deleting volume shadow copies, stopping database-related services, deleting event logs, or changing the desktop background
– Checks parameter values before operation and has various features
– Encryption using the OpenSSL library and AES, RSA algorithms
– Each encrypted file has a different AES key
– Information related to the AES key is encrypted with the RSA public key and inserted at the end of the file
– Encrypted files cannot be decrypted using only the traces left on the local system
Overview
Interlock Profiles
The Interlock ransomware group first appeared at the end of September 2024 and has been continuously attacking various companies and critical infrastructure organizations in North America and Europe. Like other ransomware gangs, they encrypt files on infected systems, exfiltrate sensitive data from companies, and release it if the ransom is not paid.
Figure 1. Interlock ransomware group’s Dedicated Leak Site (DLS) called .onion
The Interlock ransomware group calls itself a “a relentless collective that exposes the recklessness of companies” and uses unclear statistics to pressure victims.
This information was also published on the DLS. It claims that 94% of attacks could have been prevented with patch management, the average downtime was 9.7 days, and the average cost of business interruption was $4.45 million. The Interlock ransomware group mainly targets companies that have failed to protect customer data and intellectual property.
The Interlock group is conducting double extortion attacks targeting healthcare, education, and public institutions, and they have attacked the US kidney dialysis company DaVita and the indoor entertainment operating company Andretti Indoor Karting & Games, among others. According to the FBI and CISA, the Interlock ransomware group has been continuously attacking various companies and critical infrastructure organizations in North America and Europe.
Figure 2. Interlock ransomware group’s introduction
Figure 3. Data from affected companies disclosed on the DLS (.onion)
The ransomware distributed by the Interlock ransomware group does not perform any additional network communication after encrypting files.
The AES-256-GCM (Galois/Counter Mode) algorithm is used for file encryption. The key and the initialization value (IV) are encrypted using the RSA-4096 public key and then inserted at the end of the file. The RSA public key is already included in the file, so if the threat actor can identify the file, it can be decrypted with the private key.
In particular, this encryption process is implemented using the OpenSSL library. It uses high-performance encryption and key management features to effectively combine the AES and RSA algorithms for file encryption. The ransom note provides the URL for the Tor site and encourages the victim to negotiate there.
Figure 4. Negotiation page found on the DLS
Analysis Details
Initial Routine
Interlock ransomware initially encrypts or obfuscates its main code to keep it hidden and only patches and loads the code into memory at runtime. Because the original ransomware code is only present in memory during execution, it can evade detection while operating normally. In other words, the initial code patching is believed to be a defensive technique used by the ransomware to hide its core logic, delay analysis, and evade security measures.
After the code patch is completed, the main code first checks for argument values, and if none are provided, it tries to encrypt all drives and attempts to enable access to symbolic links. Enabling symbolic links allows the ransomware to access and encrypt files that are connected through lnk files or symbolic links.
|
Argument Value |
Behavior |
| -d <folder path> | Attempts to encrypt by specifying a folder |
| -f <file name> | Attempts to encrypt only one file |
| -t | Argument value of test |
| -e | Treats multiple argument values as a single set |
| -s | Creates and runs a Task Scheduler task (privilege escalation) |
| -r | Attempts forced encryption |
| -del | Deletes itself |
Table 1. Behavior by argument value
As can be seen in Table 1, this Interlock ransomware allows the use of multiple argument values with the -e argument value (e.g., -e -r -del). In the case of the -t argument value, it does not actually attempt encryption but creates a __test__ folder in the path where the ransomware is located and generates temporary files inside that folder. This argument value is used for testing purposes.
The -s argument value registers Interlock ransomware in the Task Scheduler and runs it to escalate to system privileges. After execution, the task is deleted.
Figure 6. Registering to the Task Scheduler and running
The -del argument value performs self-deletion after all behaviors of Interlock ransomware are complete. It creates a tmp<random number>.wasd file in the %TEMP% path and runs it using rundll32.exe.
Figure 7. Self-delete routine
Figure 8. Self-delete function of tmp<random number>.wasd
Preparing for Encryption
Certain folders, extensions, and files are excluded from encryption to prevent the system from being damaged by accidentally encrypting important files.
For extensions and files excluded from encryption, Interlock ransomware specifies extensions it uses for encrypted files, such as “!NT3RLOCK” and “OPEN_BEFORE_ANYTHING.txt”, as excluded from encryption. This prevents already encrypted files from being re-encrypted. The ransom note filename is also excluded so that victims can check the ransom note and proceed with negotiations.
|
Folders Excluded from Encryption |
| $Recycle.Bin / $RECYCLE.BIN |
| Boot |
| Documents and Settings |
| PerfLogs |
| ProgramData |
| Recovery |
| System Volume Information |
| Windows |
| $RECYCLE.BIN |
| AppData |
| WindowsApps |
| Windows Defender |
| WindowsPowerShell |
| Windows Defender Advanced Threat Protection |
Table 2. Folders excluded from encryption
|
File Extensions Excluded from Encryption |
| bat, bin, cab, cmd, com, cur, diagcab, diagcfg, diagpkg, drv, hlp, hta, msi, ocx, psm1, scr, sys, ini, url, dll, exe, ps1, !NT3RLOCK |
[Table 3] File Extensions Excluded from Encryption
|
Files Excluded from Encryption |
|
Thumbs.db, OPEN_BEFORE_ANYTHING.txt |
[Table 4] Files Excluded from Encryption
Before creating file encryption threads, the ransomware uses the GetSystemInfo() API to set the number of threads for encryption based on the number of CPU logical cores. The encryption process uses threads to create file search threads and file encryption threads, and works with multi-threading. As shown in Table 5, twice as many file encryption threads are created as file search threads.
Figure 9. Calculating the number of CPU logical cores
Figure 10. Creating threads
|
No. of CPU Logical Cores |
No. of File Search Threads |
No. of File Encryption Threads |
| 2 cores | 2 | 4 |
| 4 cores | 4 | 8 |
| 6 cores | 6 | 12 |
| 8 cores | 8 | 16 |
| 12 cores | 12 | 24 |
| 16 cores | 16 | 32 |
Table 5. Number of threads by CPU logical core count
