The Interlock ransomware intrusion set has escalated its operations across North America and Europe with sophisticated techniques.
Not falling under the typical Ransomware-as-a-Service (RaaS) category, Interlock operates independently, focusing primarily on Big Game Hunting and double extortion campaigns.
This group’s activities have been closely monitored by cybersecurity firms such as Sekoia Threat Detection & Research (TDR) and others, revealing their evolving tactics and tools.
.png
)
Attack Mechanism and Execution
Interlock initiates its attack by compromising legitimate websites to host deceptive browser update pages, leveraging the trust users have in these platforms.
Here’s how the attack unfolds:
1. Fake Updater Deployment:
The ransomware’s initial access vector is a fake browser update hosted on compromised websites.
These updates appear as legitimate Google Chrome or Microsoft Edge installers but are, in fact, PyInstaller files. When a user executes this update, it:
- Downloads and runs a legitimate installer.
- Simultaneously, it launches a PowerShelcl script acting as a backdoor.
2.PowerShell Backdoor:
This script operates in a loop, continuously executing HTTP requests to communicate with command-and-control (C2) servers. It’s designed for resilience, utilizing:
- A continuous communication loop with the C2 server for persistence.
- Collection of system information including user context, system details, and more, then transmitting this data to the attacker.
3.Command Execution:
The C2 server can issue various commands, including:
- Terminating the backdoor.
- Deploying additional malware like keyloggers or credential stealers (e.g., LummaStealer, BerserkStealer).
Domain and IP Clustering for Resilience
According to the Report, Interlock’s operators employ a strategy of IP address clustering to maintain their infrastructure’s resilience:
Cluster Composition
Each cluster typically includes:
- One IP from BitLaunch, allowing cryptocurrency transactions.
- One from Hetzner Online GmbH, known for its robust hosting services.
- A third from various autonomous systems to complicate disruption efforts.
ClickFix Technique for Initial Access
Around January 2025, Interlock adopted the ClickFix technique:
- Deceptive Prompts: Victims are persuaded to manually execute malicious PowerShell commands through fake CAPTCHA verifications or system prompts.
- Fake Installer Distribution: This technique was used to distribute a fake installer payload, but its usage seemed to have been abandoned by February 2025.
The sophistication and evolution of Interlock’s tactics, from using fake browser updates to employing social engineering techniques like ClickFix, illustrate its adaptability and potential for further growth.
With a focus on high-value targets and the ability to evade traditional network security, Interlock remains a significant threat.
Cybersecurity measures must be updated continuously to counter the dynamic strategies of this ransomware group.
Indicators of Compromise (IoC)
The following table lists the IoCs associated with Interlock’s activities:
| Category | Indicator Type | Indicators |
|---|---|---|
| Fake Updater | SHA-256 | 576d07cc8919c68914bf08663e0afd00d9f9fbf5263b5cccbded5d373905a296, f962e15c6efebb3c29fe399bb168066042b616affddd83f72570c979184ec55c, … (additional hashes) |
| ClickFix PowerShell Loaders | SHA-256 | 5c697162527a468a52c9e7b7dc3257dae4ae5142db62257753969d47f1db533e, eb587b2603dfc14b420865bb862fc905cb85fe7b4b5a781a19929fc2da88eb34, … (additional hashes) |
| Interlock RAT | SHA-256 | 1105a3050e6c842fb9411d4f21fd6fdb119861c15f7743e244180a4e64b19b83, 299a8ef490076664675e3b52d6767bf89ddfa6accf291818c537a600a96290d2, … (additional hashes) |
| Keylogger | SHA-256 | 5cbc2ae758043bb58664c28f32136e9cada50a8dc36c69670ddef0a3ef6757d8, df41085a8aa9ee9da6a03db08ad910b6ef5fcdc8fee7ebb19744331c5e70c782, … (additional hashes) |
| BerserkStealer | SHA-256 | eb1cdf3118271d754cf0a1777652f83c3d11dc1f9a2b51e81e37602c43b47692, a5623b6a6f289bb328e4007385bdb1659407a9e825990a0faaef3625a2e782cf |
| LummaStealer | SHA-256 | 4672fe8b37b71be834825a2477d956e0f76f7d2016c194f1538139d21703fd6e |
| Windows Interlock ransomware | SHA-256 | 4a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9, 33dc991e61ba714812aa536821b073e4274951a1e4a9bc68f71a802d034f4fb9, … (additional hashes) |
| Small autoremove DLL used by the ransomware | SHA-256 | c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f |
| Linux Interlock ransomware | SHA-256 | 28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f |
| Data Leak Site | URL | http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion |
| Backdoor C2 – Cluster 1 | IP Address | 23.95.182[.]59, 195.201.21[.]34, 159.223.46[.]184 |
| Backdoor C2 – Cluster 2 | IP Address | 23.227.203[.]162, 65.109.226[.]176, 65.38.120[.]47 |
| Backdoor C2 – Cluster 3 | IP Address | 216.245.184[.]181, 212.237.217[.]182, 168.119.96[.]41 |
| Backdoor C2 – Cluster 4 | IP Address | 216.245.184[.]170, 65.108.80[.]58, 84.200.24[.]41 |
| Backdoor C2 – Cluster 5 | IP Address | 206.206.123[.]65, 49.12.102[.]206, 193.149.180[.]158 |
| Backdoor C2 – Cluster 6 | IP Address | 85.239.52[.]252, 5.252.177[.]228, 80.87.206[.]189 |
| Backdoor C2 – Cluster 7 | IP Address | 65.108.80[.]58, 212.104.133[.]72, 140.82.14[.]117 |
| Backdoor C2 – Cluster 8 | IP Address | 64.94.84[.]85, 49.12.69[.]80, 96.62.214[.]11 |
| Backdoor C2 – Cluster 9 | IP Address | 177.136.225[.]153, 188.34.195[.]44, 45.61.136[.]202 |
| Compromised URLs | URL | http://topsportracing[.]com/wp-az, http://topsportracing[.]com/az10, https://airbluefootgear[.]com/wp-includes/images/xits.php, … (additional URLs) |
| ClickFix URLs | URL | https://microsoft-msteams[.]com/additional-check.html, https://microstteams[.]com/additional-check.html, https://advanceipscaner[.]com/additional-check.html, … (additional URLs) |
| PowerShell backdoor C2 domains | URL | refrigerator-cheers-indicator-ferrari[.]trycloudflare.com, analytical-russell-cincinnati-settings[.]trycloudflare.com, … (additional URLs) |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
