Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label encryptor. Show all posts

Interlock Ransomware: New Threat Targeting FreeBSD Servers and Critical Infrastructure Worldwide

 

The Interlock ransomware operation, launched in late September 2024, is increasingly targeting organizations around the globe. Distinctly, this new threat employs an encryptor specifically designed to attack FreeBSD servers, a relatively uncommon tactic among ransomware groups.

Interlock has already affected six organizations and publicly leaked stolen data after ransoms went unpaid. One prominent victim, Wayne County in Michigan, experienced a cyberattack early in October, adding to the list of affected entities.

Details about Interlock remain limited, with early reports emerging from cybersecurity responder Simo in October. Simo's analysis noted a new backdoor associated with the ransomware, discovered during an investigation on VirusTotal.

Shortly after, MalwareHunterTeam identified a Linux ELF encryptor related to Interlock. Upon further examination, BleepingComputer confirmed that this executable was built specifically for FreeBSD 10.4, though attempts to execute it in a FreeBSD environment failed.

Although ransomware targeting Linux-based VMware ESXi servers is common, an encryptor for FreeBSD is rare. The now-defunct Hive ransomware, disrupted by the FBI in 2023, was the only other known operation with a FreeBSD encryptor.

Trend Micro researchers shared additional samples of the Interlock FreeBSD ELF encryptor and a Windows variant, noting that FreeBSD is often used in critical infrastructure. This likely makes it a strategic target for Interlock, as attacks on these systems can lead to significant service disruptions.

Trend Micro emphasizes that Interlock’s focus on FreeBSD infrastructure allows attackers to disrupt essential services and demand high ransoms, as these systems are integral to many organizations’ operations.

It is important to note that Interlock ransomware is unrelated to any cryptocurrency token of the same name.

While BleepingComputer encountered issues with running the FreeBSD encryptor, they successfully tested the Windows version, which performed actions like clearing event logs and deleting the main binary using rundll32.exe if self-deletion is enabled.

When encrypting files, Interlock appends the .interlock extension and generates a ransom note titled "!README!.txt" in each affected folder. The note explains the encryption, threats, and includes links to a Tor-based negotiation site where victims can communicate with the attackers. Each victim receives a unique ID and email for registration on this negotiation platform.

During attacks, Interlock breaches networks, steals sensitive data, and then deploys the encryptor to lock down files. The data theft supports a double-extortion scheme, with threats to leak data if ransoms—ranging from hundreds of thousands to millions of dollars—are not paid.

The Evolution of Computer Crime: From Tinkering to Ransomware Threats

 



In the early days of computing, systems were relatively isolated, primarily reserved for academic and niche applications. Initial security incidents were more about experimentation gone wrong than intentional harm.

Today, the scenario is vastly different. Computers are everywhere—powering our homes, workplaces, and even critical infrastructure. With this increased reliance, new forms of cybercrime have emerged, driven by different motivations.

Computer crimes, which once revolved around simple scams and tech-savvy groups, have evolved. Modern attackers are more professional and devastating, often state-sponsored, like ransomware collectives.

A prime example of this evolution is ransomware. What began as simple criminal schemes has turned into a full-fledged industry, with criminals realizing that encrypting data and demanding payment is a highly lucrative enterprise.

Ransomware attacks follow a predictable pattern. First, the attacker deploys an encryptor on the victim’s system, locking them out. Then, they make their presence known through alarms and ransom demands. Finally, if the ransom is paid, some attackers provide a tool to decrypt the data, though others might threaten public exposure of sensitive data instead.

However, ransomware attackers face two key challenges. The first is infiltrating the target system, often achieved through phishing tactics or exploiting vulnerabilities. Attacks like WannaCry highlight how these methods can devastate unprotected systems.

The second challenge is receiving payment without revealing the attacker’s identity. Cryptocurrencies have helped solve this problem, allowing criminals to receive payments anonymously, making it harder for authorities to trace.

Preventing ransomware isn’t solely about avoiding the initial attack; it’s also about having a recovery strategy. Regular backups and proper employee training on cybersecurity protocols are crucial. Resilient companies use backup strategies to ensure they can restore systems quickly without paying ransoms.

However, backups must be thoroughly tested and isolated from the main system to prevent infection. Many companies fail to adequately test their backups, leading to a difficult recovery process in the event of an attack.

While ransomware isn’t a new concept in technical terms, its economic implications make it a growing threat. Cybercriminals can now act more ruthlessly and target industries that can afford to pay high ransoms. As these attacks become more common, companies must prepare to mitigate the damage and avoid paying ransoms altogether