Full Report
The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices. [...]
Analysis Summary
# Threat Actor: Interlock Ransomware Gang
## Attribution & Identity
The threat actor is identified as the **Interlock ransomware gang**. The method described (ClickFix attacks) has also been adopted by other threat actors, including North Korean hackers like the Lazarus group.
## Activity Summary
The Interlock gang is actively pushing malicious installers disguised as legitimate IT tools (specifically a fake version of **AdvanceIPScanner**) through social engineering tactics referred to as **ClickFix attacks**. These campaigns aim to gain an initial foothold, deploy various malware, establish persistence, and ultimately execute the Interlock ransomware, often preceded by data exfiltration. The ransom note has evolved to focus on the legal ramifications and regulatory consequences of data breaches.
## Tactics, Techniques & Procedures
- **Initial Access (TA0001):** Social engineering via 'ClickFix' bait websites hosting fake IT tools.
- **Execution (TA0002):** Interaction with a 'Fix it' button which copies a malicious PowerShell command to the clipboard, executed by the victim.
- **Defense Evasion (TA0005):** The malicious payload installs the legitimate software while simultaneously executing an embedded PowerShell script in a hidden window.
- **Persistence (TA0003):** Registering a **Run key** in the Windows Registry.
- **Credential Access (TA0006):** Deployment of information stealers (LummaStealer, BerserkStealer) and keyloggers.
- **Lateral Movement (TA0008):** Use of stolen credentials for RDP, as well as leveraging legitimate remote access tools like PuTTY, AnyDesk, and LogMeIn.
- **Exfiltration (TA0010):** Uploading exfiltrated data to attacker-controlled **Azure Blobs**.
- **Impact (TA0040):** Execution of the Interlock ransomware, scheduled to run daily at 08:00 PM via a scheduled task (redundancy measure).
## Targeting
- Sectors: Not explicitly detailed, but implies organizations requiring IT management tools.
- Geography: Not specified.
- Victims: Unspecified organizations targeted by the ClickFix distribution method.
## Tools & Infrastructure
- **Malware families used:**
- Interlock RAT (a simple trojan supporting file exfiltration, shell execution, and running malicious DLLs).
- LummaStealer
- BerserkStealer
- Keyloggers
- **Infrastructure:**
- C2 infrastructure responding with various payloads.
- Attacker-controlled **Azure Blobs** used for data exfiltration.
## Implications
The use of the 'ClickFix' social engineering vector, designed to mimic legitimate IT support or scanning tools, lowers the barrier to entry for initial compromise. The combination of deploying powerful stealers (Lumma/Berserk) *before* deploying the final ransomware payload suggests a comprehensive extortion approach combining data theft with encryption. The modification of the ransom note highlights an increased understanding of GDPR/regulatory pressure.
## Mitigations
- Implement rigorous security awareness training focusing on identifying sophisticated social engineering lures disguised as legitimate software downloads or IT support materials (ClickFix vector).
- Monitor for the execution of PowerShell scripts sourced from unexpected locations or initiated by user interaction with seemingly benign files/websites.
- Implement strong controls and monitoring around the use of remote access tools (RDP, AnyDesk, PuTTY, LogMeIn) when preceded by credential harvesting.
- Monitor for new persistence mechanisms being established via Windows Registry Run keys.
- Harden Azure Blob storage configurations accessible externally to prevent unauthorized uploads.