#StopRansomware: Interlock Note

#StopRansomware: Interlock

The Interlock ransomware, first seen in late September 2024, targets businesses and critical infrastructure in North America and Europe. This financially motivated ransomware uses a double extortion model, encrypting data after exfiltration. Initial access is achieved through unusual methods like drive-by downloads from compromised websites and social engineering, specifically the ClickFix technique. Post-infection, Interlock uses various tools for reconnaissance, credential theft, and lateral movement within the network. The ransomware primarily targets virtual machines, encrypting files with .interlock or .1nt3rlock extensions. Ransom demands are not initially displayed but are communicated via a unique code and a .onion URL after contact from victims. The FBI, CISA, HHS, and MS-ISAC are releasing this advisory to share indicators of compromise and tactics, techniques, and procedures to aid in mitigation efforts. The advisory emphasizes implementing robust endpoint detection and response (EDR) tools to protect against Interlock. Similarities between Interlock and Rhysida ransomware are noted. Organizations are encouraged to follow the provided mitigation recommendations to reduce risk. The advisory concludes with a table listing tools used by the actors.