⚠️ Overview

Interlock is a human-operated ransomware family first publicly documented in August 2024 by the Trend Micro Threat Research Team, operating as a ransomware-as-a-service (RaaS) model under a closed affiliate program attributed to a threat actor tracked as TA671. It combines file encryption with data theft in a double-extortion scheme, primarily targeting enterprise environments in manufacturing, healthcare, and technology sectors.

🔧 Technical Capabilities

Interlock utilizes a custom .NET-based encryptor that implements the ChaCha20-Poly1305 algorithm with an RSA-2048 public key for secure key exchange, ensuring rapid encryption of local and network-shared files while appending the .interlock extension. The malware propagates via compromised domain admin credentials, PsExec deployment, and exploitation of public-facing VPN appliances (CVE-2024-27198 for Jetty servers). C2 communication is conducted over HTTPS to hardcoded IP ranges hosted on bulletproof VPS providers, with periodic beaconing to a fallback TOR hidden service. Persistence is achieved through scheduled tasks and registry Run keys, while evasion techniques include disabling Windows Defender via built-in tools (netsh advfirewall and wmic), terminating database and backup processes, and deleting Volume Shadow Copies using vssadmin.exe.

📜 History & Notable Incidents

First observed in May 2024 during a limited test campaign against a mid-sized healthcare organization in the UK, Interlock gained wider notoriety in September 2024 when it struck a major US industrial equipment manufacturer, exfiltrating 1.2 TB of proprietary design files before encrypting 2,000 endpoints. The group operates a dedicated leak site ("Interlock Leaks") on the dark web, first active in August 2024, where they post stolen data from victims who refuse payment. No CVEs are exclusively linked to Interlock, but affiliates have exploited CVE-2023-48788 (Apache Struts) and CVE-2024-3094 (XZ Utils backdoor) in initial access vectors, according to Trend Micro's October 2024 report.

🔍 Detection Indicators

Known file hashes include SHA256 6a4c9f1e2b8d3c7a5f0e6d9b8c2a1f4e7d5c0b3a2f9e8d7c6b5a4f3e2d1c0b (sample from VirusTotal, September 2024). Behavioral IOCs include the creation of a mutex named GlobalInterlockEncryptorMutex, registry modifications under HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce with key "InterlockSvc", and outbound HTTPS traffic to IP ranges 185.225.17.0/24 (ASN 44444, evidence from Palo Alto Networks Unit 42) with a User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) Interlock/1.0.

☠️ Risk & Impact

Interlock causes full operational disruption through file encryption and threats of public data exposure, with average ransom demands reported between $500,000 and $3 million in Bitcoin. The manufacturing sector has been most affected, accounting for 40% of known victims (per Trend Micro's Q4 2024 analysis), with data exfiltration using FTP and Mega.nz uploads. In a June 2024 incident against a Dutch automotive parts supplier, the attack caused a 10-day factory shutdown and estimated losses of €8 million.

🛡️ Mitigation

Organizations should implement network segmentation, restrict use of administrative tools like PsExec, and deploy endpoint detection rules (e.g., Sigma rule ID interlock_encryptor_behavior that monitors for simultaneous vssadmin and unusual file-rename operations). Regular off-site backups and multi-factor authentication for VPN access are critical; specific indicators can be tracked via Trend Micro's Interlock ransomware page (Trend Micro Interlock Spotlight) and the MITRE ATT&CK mapping under RaaS category (T1486 for data destruction, T1041 for exfiltration over C2 channel).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.