Interlock Ransomware Targeting Businesses

SUMMARY :

The Interlock ransomware group has been actively targeting businesses and critical infrastructures in North America and Europe since September 2024. Their ransomware employs AES-256-GCM encryption with RSA-4096 key protection, leveraging the OpenSSL library for efficient file encryption. The malware includes code obfuscation techniques and specific arguments for various behaviors. It excludes certain folders, file extensions, and files from encryption to avoid system damage. The ransomware changes file extensions to '.!NT3RLOCK' and may terminate processes during encryption. Interlock's operations involve data theft and public disclosure threats for ransom leverage. The group utilizes a Tor-based negotiation site and references legal regulations to pressure victims. To counter this threat, offsite data backups and regular recovery drills are recommended.

OPENCTI LABELS :

north america,openssl,rsa-4096,aes-256-gcm,interlock,file encryption,ransomware,europe,code obfuscation,data theft


AI COMMENTARY :

1. Since September 2024 the Interlock ransomware group has been identified as a significant threat targeting businesses and critical infrastructures across North America and Europe. This campaign has evolved rapidly, demonstrating the group’s capacity to inflict widespread operational disruption and financial losses on organizations of varying sizes.

2. The core of Interlock’s attack capability resides in a combination of AES-256-GCM encryption and RSA-4096 key protection. Leveraging the OpenSSL library for file encryption allows the malware to execute at remarkable speed while maintaining strong cryptographic standards. Advanced code obfuscation techniques conceal malicious functionality and complicate analysis by security researchers.

3. Interlock’s execution strategy includes carefully excluding certain folders and file extensions from encryption to prevent critical system damage. Infected files are renamed with a .!NT3RLOCK extension and the malware may terminate processes to unlock target files. Custom arguments enable the threat actors to tailor behaviors such as process termination, directory traversal and selective targeting of high-value assets.

4. Beyond file encryption, Interlock operators engage in significant data theft prior to encryption. Stolen data is used as leverage on a Tor-based negotiation site where victims receive pressure through public disclosure threats. References to legal regulations and compliance obligations are employed to intensify demands for ransom payment.

5. The geographic focus of these attacks spans both North America and Europe, with sectors such as manufacturing healthcare and energy bearing the brunt of the disruptions. The combination of ransomware-driven downtime and the risk of sensitive data exposure has generated urgent calls for enhanced cyber resilience within critical infrastructure environments.

6. Mitigation strategies against Interlock ransomware include maintaining secure offsite data backups and conducting regular recovery drills to ensure continuity. Organizations should implement robust patch management processes and principle of least privilege access controls. Proactive threat intelligence sharing and network monitoring can help detect early indicators of intrusion and prevent the full deployment of this sophisticated threat.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Interlock Ransomware Targeting Businesses