The Interlock ransomware gang is aggressively targeting businesses and critical infrastructure in North America and Europe, according to a new warning from the US Cybersecurity and Infrastructure Security Agency (CISA). stepping up its attacks and changing tactics.
The agency issued an advisory describing how Interlock picks its victims on the basis of opportunity, carrying out financially-motivated attacks based on vectors such as social engineering.
The group’s ransomware encryptors work with both Windows and Linux operating systems, and have been spotted encrypting virtual machines (VMs) across both. So far, says CISA, the group has been leaving hosts, workstations, and physical servers unaffected – but this could change in future.
The group uses a broad range of tactics to gain access.
“FBI observed actors obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups,” CISA said.
Interlock then uses a range of different methods for discovery, credential access, and lateral movement to spread to other systems on the network, before issuing ransom demands.
The group uses a double extortion model, encrypting systems after exfiltrating data, to increase the pressure on victims.
It recently claimed responsibility for an attack on US healthcare provider Kettering Health that caused a company-wide outage, with other victims including kidney care provider DaVita and the UK’s West Lothian Council.
The group has carried out 16 confirmed attacks to date per Comparitech data and an additional 17 unconfirmed attacks since last October.
“What sets Interlock apart is its tactical diversity,” commented Nick Tausek, lead security automation architect at Swimlane.
“The group has used ClickFix attacks to impersonate IT tools and infiltrate networks, deployed remote access trojans (RATs) to deliver malware, and most recently, adopted double extortion tactics to maximize pressure on victims.”
CISA recommended that organizations should prevent initial access by implementing domain name system filtering and web access firewalls, and by training users to spot social engineering attempts.
Leaders should deal with known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date, and segment networks to restrict lateral movement.
And they should implement identity, credential, and access management policies across the organization, requiring multi-factor authentication wherever possible.
“The range and frequency of these attacks highlight just how adaptable modern threat actors have become. Attacks now come from multiple vectors, often at once, and organizations must be ready,” said Tausek.
“Regular patching, network segmentation, and proactive defenses are essential. Just as critical is equipping employees with the awareness to recognize social engineering attempts before they lead to compromise.”
MORE FROM ITPRO
