Meet Interlock — The brand new ransomware concentrating on FreeBSD servers

A comparatively new ransomware operation named Interlock assaults organizations worldwide, taking the bizarre method of making an encryptor to focus on FreeBSD servers.

Launched on the finish of September 2024, Interlock has since claimed assaults on six organizations, publishing stolen information on their information leak website after a ransom was not paid. One of many victims is Wayne County, Michigan, which suffered a cyberattack at the start of October.

Not a lot is thought concerning the ransomware operation, with among the first data coming from incident responder Simo in early October, who discovered a brand new backdoor [VirusTotal] deployed in an Interlock ransomware incident.

Quickly after, cybersecurity researcher MalwareHuntTeam discovered what was believed to be a Linux ELF encryptor [VirusTotal] for the Interlock operation. Sharing the pattern with BleepingComputer, we tried to check it on a digital machine, the place it instantly crashed.

Inspecting the strings inside the executable indicated that it was compiled particularly for FreeBSD, with the Linux “File” command additional confirming it was compiled on FreeBSD 10.4.

interlock.elf: ELF 64-bit LSB executable, x86-64, model 1 (SYSV), statically linked, BuildID[sha1]=c7f876806bf4d3ccafbf2252e77c2a7546c301e6, for FreeBSD 10.4, FreeBSD-style, not stripped

Nonetheless, even when testing the pattern on a FreeBSD digital machine, BleepingComputer was unable to get the pattern to correctly execute.

Whereas it’s common to see Linux encryptors created to focus on VMware ESXi servers and digital machines, it’s uncommon to see ones created for FreeBSD. The one different ransomware operation identified to have created FreeBSD encryptors is the now-defunct Hive ransomware operation, which was disrupted by the FBI in 2023.

This week, researchers from cybersecurity agency Pattern Micro shared on X that they discovered an extra pattern of the FreeBSD ELF encryptor [VirusTotal] and a pattern of the operation’s Home windows encryptor [VirusTotal].

Pattern Micro additional mentioned that the risk actors probably created a FreeBSD encryptor because the working system is often utilized in important infrastructure, the place assaults may cause widespread disruption.

“Interlock targets FreeBSD because it’s extensively utilized in servers and significant infrastructure. Attackers can disrupt important providers, demand hefty ransoms, and coerce victims into paying,” explains Pattern Micro.

The Interlock ransomware

Whereas BleepingComputer couldn’t get the FreeBSD encryptor working, the Home windows model ran with out a drawback on our digital machine.

Based on Pattern Micro, the Home windows encryptor will clear Home windows occasion logs, and if self-deletion is enabled, will use a DLL to delete the primary binary utilizing rundll32.exe. 

When encrypting recordsdata, the ransomware will append the .interlock extension to all encrypted file names, and create a ransom notice in every folder.

This ransom notice is known as !__README__!.txt and briefly describes what occurred to the sufferer’s recordsdata, makes threats, and hyperlinks to the Tor negotiation and information leak websites.

Every sufferer has a novel “Firm ID” that’s used together with an electronic mail handle to register on the risk actor’s Tor negotiation website. Like many different latest ransomware operations, the victim-facing negotiation website simply features a chat system that can be utilized to speak with the risk actors.

When conducting assaults, Interlock will breach a company community and steal information from servers whereas spreading laterally to different units. When performed, the risk actors deploy the ransomware to encrypt the entire recordsdata on the community.

The stolen information is used as a part of a double-extortion assault, the place the risk actors threaten to publicly leak it if a ransom shouldn’t be paid.

BleepingComputer has realized that the ransomware operation calls for ransoms starting from a whole lot of 1000’s of {dollars} to hundreds of thousands, relying on the scale of the group.