Interlock Ransomware Targets FreeBSD and Critical Infrastructure

Interlock Ransomware Targets FreeBSD and Critical Infrastructure

Threat Group: Interlock
Threat Type: Ransomware
Exploited Vulnerabilities: Network vulnerabilities; FreeBSD and VMware ESXi environments
Malware Used: Interlock ransomware variants for FreeBSD and Windows
Threat Score: High (8.0/10) — due to cross-platform targeting, focus on critical infrastructure, and double-extortion tactics
Last Threat Observation: November 2024


Overview

Interlock ransomware is a newly detected strain focusing on critical infrastructure, specifically targeting FreeBSD and VMware ESXi systems. Emerging around September 2024, this ransomware group has conducted several high-impact attacks, exploiting network vulnerabilities to compromise healthcare and other essential services. Using double-extortion methods, Interlock encrypts data and threatens to release sensitive information if demands are unmet. The group has publicly claimed multiple victims and hosts a dedicated leak site on the dark web.

Key Details

  • Delivery Method: Likely via exploited network vulnerabilities.
  • Target: Healthcare, critical infrastructure, FreeBSD-based systems, and VMware ESXi servers.
  • Functions:
    • Encrypts files, appending ".interlock" to affected files.
    • Drops a ransom note named !__README__!.txt.
    • Uses a FreeBSD ELF encryptor, highlighting a focus on critical infrastructure where FreeBSD is commonly deployed.
    • Employs Windows-based techniques for data exfiltration and lateral movement within compromised networks.
  • Obfuscation: Initiates command-and-control (C2) via a scheduled task, anonymizing network traffic through a reverse shell.

Attack Vectors

Interlock ransomware uses custom-built encryptors for FreeBSD and ESXi, distinguishing it from typical Linux-based or Windows-only attacks. Upon gaining access, the malware spreads laterally across the network, exfiltrating data before encrypting it. Victims receive a ransom note with instructions to access a Tor-based negotiation site, where a unique company ID is required for secure communication. The attackers utilize double-extortion tactics, publishing sensitive data on their leak site if the ransom remains unpaid.

Known Indicators of Compromise (IoCs)

  • File Hashes (MD5):e11d147dad6e47a1cecb1f2755f95a55
  • File Hashes (SHA-1):1cb6a93e6d2d86d3479a1ea59f7d5b258f1c5c535cc81e0df62e0d68710e14b31e2270f2ec7ed1668a38825ee33980a27ab6970e090a30a46226f752
  • File Hashes (SHA-256):e9ff4d40aeec2ff9d2886c7e7aea7634d8997a14ca3740645fd3101808cc187b

Mitigation and Prevention

  • User Awareness: Educate users on ransomware risks, especially those associated with network vulnerabilities.
  • Email Filtering: Strengthen email defenses to detect phishing attempts that may deliver ransomware payloads.
  • Antivirus Protection: Ensure antivirus and anti-malware tools are regularly updated with ransomware definitions.
  • Two-Factor Authentication (2FA): Enforce 2FA on critical systems to prevent unauthorized access.
  • Monitor Logs: Regularly inspect system logs for unusual scheduled tasks or C2 network traffic.
  • Regular Updates: Prioritize patching, especially for FreeBSD and VMware ESXi systems.

Conclusion

Interlock ransomware represents a sophisticated and high-impact threat, especially concerning its unique targeting of FreeBSD and ESXi environments and its double-extortion tactics. Organizations within critical infrastructure sectors should prioritize patching vulnerabilities and fortifying security defenses. Enhanced vigilance in network monitoring and strong access controls are essential to mitigate risks posed by this emerging ransomware variant.


Sources

  1. Broadcom, “Interlock Ransomware,”
  2. BleepingComputer, “Meet Interlock — The new ransomware targeting FreeBSD servers,
  3. MOXFIVE, “Threat Actor Spotlight - INTERLOCK Ransomware,”