Analytics Story: Interlock Ransomware
Description
Leverage searches that allow you to detect and investigate unusual activities associated with Interlock Ransomware, such as unexpected file encryption patterns, anomalous process execution (e.g., PowerShell or CMD spawning from Office applications), and large-scale file renaming. Look for indicators including creation of ransom notes (e.g., !README!.txt), high volumes of file modifications in short time spans, and suspicious outbound connections to command-and-control infrastructure. Correlate these behaviors with privilege escalation attempts, scheduled tasks or registry changes, and endpoint detections tied to known Interlock payloads. Implement behavioral analytics and MITRE ATT&CK mappings (e.g., T1486 - Data Encrypted for Impact) to surface early signs of ransomware activity before full encryption occurs.
Why it matters
The Interlock ransomware variant was first observed in late September 2024, targeting various business, critical infrastructure, and other organizations in North America and Europe. FBI maintains these actors target their victims based on opportunity, and their activity is financially motivated. FBI is aware of Interlock ransomware encryptors designed for both Windows and Linux operating systems; these encryptors have been observed encrypting virtual machines (VMs) across both operating systems. FBI observed actors obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups. Actors were also observed using the ClickFix social engineering technique for initial access, in which victims are tricked into executing a malicious payload under the guise of fixing an issue on the victim’s system. Actors then use various methods for discovery, credential access, and lateral movement to spread to other systems on the network.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Network Visibility Module Flow Data |  Network |
cisco:nvm:flowdata |
not_applicable |
| Cisco Secure Firewall Threat Defense Connection Event | N/A | cisco:sfw:estreamer |
not_applicable |
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| Palo Alto Network Threat | Network |
pan:threat |
pan:threat |
| Palo Alto Network Traffic | Network |
pan:traffic |
screenconnect_palo_traffic |
| Powershell Script Block Logging 4104 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
| Sysmon EventID 1 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 11 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 13 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 22 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 23 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 26 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 5 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 6 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log RemoteConnectionManager 1149 | Windows |
wineventlog |
WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Windows Event Log Security 5136 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
References
Source: GitHub | Version: 1