Summary:
Halcyon has observed the Interlock ransomware group leveraging Windows Defender Application Control (WDAC) to disable endpoint security tooling as part of their attack chain. By abusing WDAC, a legitimate Windows policy enforcement feature, Interlock is able to block endpoint security tools from executing, effectively neutralizing defensive controls before deploying ransomware. This technique represents a significant escalation in the group’s ability to evade defenses and underscores a broader trend of threat actors weaponizing trusted, native operating system (OS) features against the environments they target. Organizations should review their WDAC policy configurations, ensure that security tooling is protected against policy-based tampering, restrict and monitor all privileged access, and validate that endpoint security solutions remain operational throughout the attack lifecycle.
Background:
Interlock ransomware group has been observed deploying a sophisticated defense evasion technique that leverages WDAC in enforcing mode, applied via a Group Policy Object (GPO)-deployed scheduled task, to selectively disable endpoint security tooling while permitting only Interlock’s own malicious tooling to execute. By crafting a WDAC policy that allowlists their ransomware components and blocklists legitimate security solutions, Interlock is able to effectively blind endpoint security tools before proceeding with encryption and data exfiltration. This abuse of a trusted, native Windows policy enforcement mechanism represents a deliberate and calculated effort to subvert defensive controls at the OS level, making detection and response significantly more difficult for affected organizations.
The use of GPO-deployed scheduled tasks to push and enforce malicious WDAC policies suggests that Interlock operators have achieved a meaningful level of privileged access within the target environment prior to ransomware deployment, likely through prior credential compromise or lateral movement. This technique also indicates a high degree of operational maturity, as constructing and deploying a functional WDAC policy that surgically targets security tooling requires in-depth knowledge of the victim’s environment and Windows internals. Interlock has traditionally targeted healthcare systems alongside government entities, defense contractors, manufacturing operations, and education institutions across North America and Europe.
Organizations should audit GPO configurations for unauthorized scheduled tasks, review WDAC policies for unexpected or unauthorized changes, and ensure that security tooling is resilient against policy-based tampering. Privileged access controls and monitoring around Group Policy modifications should be treated as a critical detection opportunity for this activity. Halcyon continues to monitor Interlock ransomware activity and will update this alert as new evidence emerges.
NOTE: The minimum privileges required for WDAC abuse require local admin or LAPS (if implemented) on systems.
Details:
- WDAC Enforcing Mode via GPO-Deployed Scheduled Task: Interlock ransomware group has been observed deploying a malicious WDAC policy in enforcing mode through a GPO-deployed scheduled task. Unlike audit mode, enforcing mode actively blocks any application not explicitly permitted by the policy, giving the attacker direct control over what is and is not allowed to execute within the environment. By pushing this policy via GPO, Interlock is able to apply the configuration broadly and rapidly across domain-joined systems without manual intervention on individual endpoints.
- Selective Allowlisting of Malicious Tooling: The WDAC policy deployed by Interlock is deliberately constructed to allowlist the group’s own malicious tooling while blocklisting or failing to account for legitimate endpoint security tooling. This surgical approach ensures that Interlock’s ransomware components, lateral movement tools, and exfiltration utilities are permitted to execute while defensive controls are silently rendered inoperable, creating a window of unimpeded activity for the threat actor.
- Prerequisite Privileged Access: The ability to create and deploy a GPO-linked scheduled task that enforces a custom WDAC policy requires a significant level of prior privileged access within the target environment, including domain-level or Group Policy administrative rights that allow execution as SYSTEM. This indicates that WDAC abuse occurs as a late-stage pre-ransomware activity, following credential compromise, privilege escalation, and lateral movement. Defenders should treat unauthorized GPO modifications and new scheduled task creation as high-fidelity indicators of impending ransomware deployment.
- Tactics, Techniques, and Procedures (TTPs): Halcyon has observed Interlock ransomware gaining initial access through phishing campaigns delivering trojanized installers masquerading as legitimate software, as well as compromised remote desktop protocol (RDP) and vulnerabilities in edge devices. Following initial access, the group conducts reconnaissance and lateral movement using legitimate tools including AnyDesk, ScreenConnect, PuTTY, and various living-off-the-land binaries (LOLBins). Data exfiltration has been observed using Azure Storage Explorer via custom exfiltration tooling prior to encryption. The deployment of a malicious WDAC policy via GPO represents a late-stage defense evasion step executed immediately before ransomware detonation, underscoring the group’s operational maturity and deliberate approach to neutralizing defenses before impact.
Mitigation:
- Audit and Restrict Group Policy Modifications: Organizations should immediately audit existing GPO configurations for unauthorized scheduled tasks or unexpected WDAC policy deployments. Implement strict access controls and monitoring around Group Policy administrative rights, as the ability to create and link GPOs is a prerequisite for this technique [M1026]. Alert on new scheduled task creation via GPO, particularly those referencing unsigned scripts, policy files, or executables originating from non-standard paths [M1047].
- WDAC Policy Integrity Validation: Regularly audit deployed WDAC policies to ensure they align with organizationally approved baselines and have not been modified or supplemented by unauthorized policies [M1047]. Organizations leveraging WDAC as a legitimate application control mechanism should ensure that policy management is restricted to authorized personnel and that changes are subject to change management processes [M1026]. Unexpected transitions from audit mode to enforcing mode, or the appearance of new WDAC policies across domain-joined systems, should be treated as a high-fidelity indicator of compromise.
- Privileged Access Hardening: Given that Interlock’s WDAC abuse requires local admin at the bare minimum, we recommend implementing and enforcing LAPS and looking for detections of node.exe (Node usage) and any unauthorized RMM tools (e.g., ScreenConnect). Additionally, at the domain-level or Group Policy administrative rights, organizations should enforce Just-in-Time (JIT) least privilege principles and implement Privileged Access Workstations (PAWs) or similar for administrative activity [M1026]. Credential hardening measures including multi-factor authentication for privileged accounts, tiered administration models, and regular review of accounts with Group Policy management rights should be prioritized [M1032]. Lateral movement leading to privilege escalation represents the critical precursor to this technique and should be the primary focus of detection efforts.
- Endpoint Security Resilience: Deploy endpoint security solutions that are resilient against policy-based tampering and capable of operating under restrictive application control environments [M1038]. Validate that endpoint security tooling remains operational and that any disruption to security tool execution generates an alert [M1040]. Organizations should work with their endpoint security vendors to understand how their solutions respond to WDAC enforcing mode and whether tamper protection mechanisms can withstand GPO-deployed policy changes [M1031].
- Deploy Dedicated Anti-Ransomware Solution: Deploy dedicated anti-ransomware defenses capable of detecting and blocking the behavioral patterns associated with WDAC abuse, including unauthorized policy deployment, scheduled task creation, and the selective disabling of security tooling [M1038]. Solutions should be capable of detecting runtime behaviors indicative of pre-ransomware staging activity, including reconnaissance, lateral movement, and exfiltration, before encryption is initiated [M1040]. Protecting the integrity of backups and ensuring they remain isolated from domain-joined systems reduces the attacker’s ability to leverage WDAC policy deployment against backup infrastructure [M1053].
- Post-Incident Response Considerations: If WDAC abuse is detected or suspected, immediately isolate affected systems to contain further GPO-based policy propagation [M1030]. If possible and practical, disconnect network cabling or connections to hosts. Preserve forensic evidence including GPO change logs, scheduled task artifacts, and WDAC policy files for investigation. Engage experienced ransomware incident response specialists to assess the scope of privileged access compromise, identify all systems affected by the malicious WDAC policy, and support recovery planning. Restore endpoint security tooling to full operational status before proceeding with broader recovery activities to ensure defenses are in place against potential re-entry attempts [M1047].
References:
Source Summary:
This Alert is based on Halcyon observations, open-source information, and ongoing research. Findings reflect our current understanding of threat actor activity and may be updated as new evidence emerges. Assessments may be revised as additional evidence becomes available.
The Halcyon Ransomware Research Center unites experts, drives smart policies, and delivers actionable intelligence to detect, disrupt, and defeat ransomware. Explore the Center’s latest reports, analysis, and resources here.
Click Here For The Original Source.
