Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Interlock. Show all posts
Ransomwares
Advanced Social Engineering Cyber Attacks Cyber SecurityTrojan Attacks Cyber Threat Intelligence Industries Interlock Interlock ransomware ransomware attacks Ransomwares

Interlock RAT Evolves in New KongTuke Web-Inject Attacks Targeting U.S. Industries

 

A recently enhanced version of the Interlock remote access Trojan (RAT) is being deployed in an ongoing web-inject campaign linked to the ransomware group behind it. Known for its double-extortion tactics, Interlock has now shifted its technical approach with a more covert RAT variant written in PHP. According to a new report by The DFIR Report, this marks a significant advancement in the group’s capabilities and strategy.  

Interlock first emerged in late 2024, attacking high-profile targets such as Texas Tech University’s Health Sciences Centers. Earlier this year, cybersecurity firm Quorum Cyber detailed two versions of the group’s malware, named NodeSnake, focused on maintaining persistence and exfiltrating data. The newest version introduces additional stealth features, most notably a transition from JavaScript to PHP, allowing the malware to blend more easily with normal web traffic and avoid detection. 

This enhanced RAT is tied to a broader web-inject threat campaign dubbed “KongTuke,” where victims are tricked into running malicious scripts after visiting compromised websites. Visitors encounter what appears to be a legitimate CAPTCHA but are actually prompted to paste dangerous PowerShell commands into their systems. This action initiates the Interlock RAT, giving attackers access to the machine. 

Once activated, the malware gathers extensive data on the infected system. Using PowerShell, it collects system information, running processes, mounted drives, network connections, and checks its own privilege level. This enables attackers to evaluate the environment quickly and plan further intrusion tactics. It then connects back to command-and-control infrastructure, leveraging services like Cloudflare Tunneling for stealthy communication. Remote desktop protocol (RDP) is used for lateral movement and persistent access. 

Researchers say the targeting in this campaign appears opportunistic, not industry-specific. Victims across various sectors in the U.S. have been identified, with the attackers casting a wide net and focusing efforts where systems and data seem valuable or more vulnerable.  

Defensive recommendations from experts include improving phishing awareness, restricting the use of the Windows Run dialog box, enforcing least privilege access, and requiring multifactor authentication. Blocking unnecessary use of RDP is also essential. 

The growing sophistication of the Interlock RAT and its integration into mass web-inject campaigns reflects an evolving cyber threat landscape where stealth, automation, and social engineering play a central role.
Read more »
Ransomware
Cyberattack Data Breach DaVita Healthcare Interlock Ransomware

Interlock Ransomware Gang Claims DaVita Cyberattack, Leaks Alleged Data Online

 

jThe Interlock ransomware group has taken credit for a recent cyberattack on DaVita, a leading U.S. kidney care provider. The group claims to have exfiltrated a significant amount of data, which it has now leaked on the dark web.

DaVita, a Fortune 500 company, operates over 2,600 dialysis centers across the U.S., employs around 76,000 people in 12 countries, and generates more than $12.8 billion in annual revenue. On April 12, the healthcare giant informed the U.S. Securities and Exchange Commission (SEC) that it had been hit by a ransomware incident that disrupted some operations. At the time, the company said it was assessing the impact.

Earlier today, the Interlock group publicly listed DaVita as a victim on its data leak site (DLS) hosted on the dark web. The cybercriminals claim to have stolen approximately 1.5 terabytes of data, including around 700,000 files containing sensitive information—ranging from patient records and user account data to insurance documents and financial details.

The leaked files were released following what appears to be a failed negotiation between Interlock and DaVita. The authenticity of the exposed files has not been independently verified by BleepingComputer.

In response to the data leak, a DaVita spokesperson told BleepingComputer: "We are aware of the post on the dark web and are in the process of conducting a thorough review of the data involved."

"A full investigation regarding this incident is still underway. We are working as quickly as possible and will notify any affected parties and individuals, as appropriate."

"We are disappointed in these actions against the healthcare community and will continue to share helpful information with our vendors and partners to raise awareness on how to defend against these attacks in the future."

Patients who have received care at DaVita facilities are advised to remain alert for phishing attempts and report any suspicious activity to authorities.

Interlock emerged in the ransomware scene in September last year, primarily targeting Windows and FreeBSD systems. Unlike many groups, Interlock does not collaborate with affiliates but has demonstrated increasing activity and sophistication.

A recent report by cybersecurity firm Sekoia highlighted a shift in Interlock’s approach. The group is now using “ClickFix” techniques to deceive victims into deploying info-stealers and remote access trojans (RATs)—a method that paves the way for ransomware deployment.
Read more »
Ransomwares
Cyber Attacks Cyber Researchers Dark Web data security Interlock Interlock ransomware Malware Attack Ransomware attack Ransomwares

Interlock Ransomware Gang Deploys ClickFix Attacks to Breach Corporate Networks

 

Cybersecurity researchers have revealed that the Interlock ransomware gang has adopted a deceptive social engineering technique called ClickFix to infiltrate corporate networks. This method involves tricking users into executing malicious PowerShell commands under the guise of resolving system errors or completing identity verification steps, leading to the deployment of file-encrypting malware. 

While ClickFix attacks have previously been associated with ransomware campaigns, this marks the first confirmed use by Interlock, a ransomware operation that surfaced in late September 2024. The group targets both Windows systems and FreeBSD servers and maintains a dark web leak portal to pressure victims into paying ransoms that can reach millions of dollars. Interlock does not seem to operate as a ransomware-as-a-service (RaaS) model. 

According to Sekoia researchers, Interlock began using ClickFix tactics in January 2025. Attackers set up fake websites mimicking legitimate IT tools—such as Microsoft Teams and Advanced IP Scanner—to lure victims. These fake sites prompt users to click a “Fix it” button, which silently copies a malicious PowerShell script to the user’s clipboard. If run, the command downloads a 36MB PyInstaller payload that installs malware under the guise of a legitimate tool. 

Researchers found the malicious campaign hosted on spoofed domains like microsoft-msteams[.]com, microstteams[.]com, ecologilives[.]com, and advanceipscaner[.]com. Only the last domain led to the actual malware dropper disguised as Advanced IP Scanner. When users unknowingly run the script, a hidden PowerShell window executes actions such as system reconnaissance, persistence via Windows Registry, and data exfiltration. The attackers deploy a range of malware via command-and-control (C2) servers, including LummaStealer, BerserkStealer, keyloggers, and the Interlock RAT—a basic remote access trojan capable of dynamic configuration, file exfiltration, shell command execution, and DLL injection. 

Post-compromise, Interlock operators use stolen credentials to move laterally through networks via RDP, leveraging remote access tools like PuTTY, AnyDesk, and LogMeIn. Data is exfiltrated to Azure Blob Storage, after which the Windows variant of Interlock ransomware is scheduled to run daily at 8:00 PM—a redundancy tactic to ensure encryption if the initial payload fails. The gang’s ransom notes have also evolved, now placing emphasis on the legal and regulatory consequences of leaked data. 

ClickFix attacks are gaining popularity among various cybercriminal groups, with recent reports also linking them to North Korean state-sponsored actors like the Lazarus Group, who use similar tactics to target job seekers in the cryptocurrency sector.
Read more »
Unfrastructure
Cyber Attacks CyberCrime Cybersecurity CyberThreat Interlock Ransomware attack Unfrastructure

Critical Infrastructure Faces Rising Ransomware Risks

 


In October 2024, Interlock claimed to have attacked several organizations, including Wayne County, Michigan, which is known for its cyberattacks. Ransomware is characterized by the fact that the encrypted data is encrypted by an encryptor specifically designed for the FreeBSD operating system, an operating system widely used in critical infrastructure. 

In late September 2024, a unique approach was used to launch the operation, which uses an encryptor specifically designed for FreeBSD. Interlock has already attacked several organizations, including Wayne County in Michigan, which was attacked in October 2024 by a cybercriminal organization called Interlock.

During the Interlock attack, the attacker breaches corporate networks, steals data from them, spreads to other devices laterally, and encrypts their files. In addition to using double-extortion tactics, they threaten to leak stolen data unless ransom demands of hundreds of thousands to millions of dollars are met. A particular feature of Interlock is its focus on FreeBSD encryptors, which makes it uniquely different from other ransomware groups that target Linux-based VMware ESXi servers. 

FreeBSD is a widely used operating system and a prime target of malicious hackers who want to disrupt critical infrastructure and extort victims for a large sum of money. This FreeBSD encryptor was developed specifically for FreeBSD 10.4, and it is a 64-bit ELF executable that is designed specifically for FreeBSD. 

Although the sample was tested on both Linux and FreeBSD virtual machines, the execution of the code was problematic since it failed to work in controlled environments. A ransomware attack is a sophisticated type of malware that seeks to seize control of data, effectively denying access to files and systems. 

In this malicious software, advanced encryption techniques are employed to render data inaccessible without a unique decryption key exclusive to the attackers. There is usually a ransom payment, usually in cryptocurrency, which victims are required to make to restore access and secure the attackers' privacy. Security experts Simo and MalwareHunterTeam, who analyzed ransomware samples, revealed the attack's initial details and the attackers' anonymity. 

As with most ransomware attacks, Interlock follows a typical pattern: the attackers breach corporate networks, steal sensitive information, copy the data and spread to other devices, encrypting files as they are copied. In addition to using double-extortion tactics, they also threaten to leak stolen data unless the victim pays a ransom of thousands to millions of dollars, depending on the size of the ransom. It is also the focus on FreeBSD that makes Interlock particularly unique, which illustrates why this operating system has a vital role to play in critical systems. 

A major characteristic of Interlock's ransomware is its direct targeting of FreeBSD servers, which are common in web hosting, mail servers, and storage systems. Unlike other ransomware groups that usually target Linux-based VMware ESXi servers, Interlock targets FreeBSD servers. Besides being integral to critical operations, these systems serve as lucrative targets for attackers. 

In spite of FreeBSD's popularity and essential services, its focus can also pose a challenge to cybersecurity professionals. In the initial testing phase of FreeBSD's encryptor, which was explicitly compiled for the FreeBSD 10.4 operating system, it did not prove easy to execute both the FreeBSD and Linux encryptors in controlled environments, since the encryptor is written as a 64-bit ELF executable. However, despite these hurdles, Trend Micro researchers discovered further samples of the encryption, confirming its functionality, strategic focus and capabilities. 

As a reminder of the vulnerabilities within critical infrastructure, Interlock has launched its attacks to increase awareness. The fact that it uses FreeBSD's own encryptor is a troubling development in ransomware tactics. This emphasizes the importance of strong security measures to safeguard against this increasing threat. To minimize the risk and impact of such cyberattacks, organizations should prioritize improving their security strategies.

It is recommended by Ilia Sotnikov, Security Strategist at Netwrix, that organizations use multi-layered security measures to prevent initial breaches, including firewalls and intrusion detection systems, as well as phishing defences. Interlock, a ransomware group that has been attacking organizations worldwide lately, has used an unusual approach of creating an encryptor to attack FreeBSD servers as a means of stealing data. 

Generally, FreeBSD is considered to be one of the most reliable operating systems available, so it is commonly used for critical functions. For example, the web host, mail server and storage systems are all potential targets for attackers, all of which can pose a lucrative threat. According to Sotnikov, depending on their configuration, a server may or may not be directly connected to the Internet, depending on their function. 

The security team should invest in defence-in-depth so that a potential attack is disrupted as early as possible so that every subsequent step for the attacker will be more difficult, and so that potentially harmful activity can be identified as fast as possible with the help of monitoring tools. Considering that the adversary is likely to access the FreeBSD server from inside the network, it might be a good idea to minimize standing privileges by implementing the zero trust principle, which means that a user should only have access to the permissions needed to achieve their tasks, sotnikov suggested.
Read more »
Subscribe to: Posts (Atom)