Analytics Story: Interlock Ransomware
Description
Leverage searches that allow you to detect and investigate unusual activities associated with Interlock Ransomware, such as unexpected file encryption patterns, anomalous process execution (e.g., PowerShell or CMD spawning from Office applications), and large-scale file renaming. Look for indicators including creation of ransom notes (e.g., !README!.txt), high volumes of file modifications in short time spans, and suspicious outbound connections to command-and-control infrastructure. Correlate these behaviors with privilege escalation attempts, scheduled tasks or registry changes, and endpoint detections tied to known Interlock payloads. Implement behavioral analytics and MITRE ATT&CK mappings (e.g., T1486 - Data Encrypted for Impact) to surface early signs of ransomware activity before full encryption occurs.
Why it matters
The Interlock ransomware variant was first observed in late September 2024, targeting various business, critical infrastructure, and other organizations in North America and Europe. FBI maintains these actors target their victims based on opportunity, and their activity is financially motivated. FBI is aware of Interlock ransomware encryptors designed for both Windows and Linux operating systems; these encryptors have been observed encrypting virtual machines (VMs) across both operating systems. FBI observed actors obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups. Actors were also observed using the ClickFix social engineering technique for initial access, in which victims are tricked into executing a malicious payload under the guise of fixing an issue on the victim’s system. Actors then use various methods for discovery, credential access, and lateral movement to spread to other systems on the network.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Powershell Script Block Logging 4104 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
|
| Sysmon EventID 11 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 1 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Palo Alto Network Threat | pan:threat |
not_applicable |
|
| Windows Event Log Security 4688 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Windows Event Log RemoteConnectionManager 1149 | wineventlog |
WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational |
|
| Windows Event Log Security 5136 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Sysmon EventID 17 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 18 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 13 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Palo Alto Network Traffic | pan:traffic |
not_applicable |
|
| Cisco Secure Firewall Threat Defense Connection Event | Other | cisco:sfw:estreamer |
not_applicable |
| Sysmon EventID 26 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 23 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Cisco Network Visibility Module Flow Data | cisco:nvm:flowdata |
not_applicable |
|
| Sysmon EventID 22 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 6 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 5 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
Source: GitHub | Version: 2