Interlock ransomware attacks highlight the need for stricter security standards for critical infrastructure
- Permanent privileges can be minimized using the zero trust principle
- Critical servers can be protected by enabling just-in-time access
- FreeBSD prisons can help isolate workloads and improve defenses
A recently discovered ransomware group has been observed targeting organizations with a focus on FreeBSD servers.
Launched in late September 2024, the operation uses a unique approach, using an encryptor designed specifically for FreeBSD.
Interlock has already claimed attacks on six organizations, including Wayne County, Michigan, which suffered a cyberattack in October 2024.
Interlock’s FreeBSD encryptor sets it apart
The first information about Interlock came from cybersecurity professionals Simo And MalwareHunterTeamwho analyzed samples of the ransomware.
Interlock’s attack method involves breaching corporate networks, stealing data, spreading laterally to other devices, and encrypting files. The attackers use dual extortion tactics and threaten to leak stolen data unless a ransom is demanded, ranging from hundreds of thousands to millions of dollars.
Unlike other ransomware groups that typically target Linux-based VMware ESXi servers, Interlock’s focus on FreeBSD encryptors makes it particularly unique. FreeBSD’s extensive use in critical infrastructure and servers makes it a prime target for disrupting vital services and pressuring victims to pay significant ransoms.
The FreeBSD encryptor was compiled specifically for FreeBSD 10.4 and is a 64-bit ELF executable. However, testing the sample on both Linux and FreeBSD virtual machines proved challenging, as it could not run correctly in controlled environments.
Despite this, Trend Micro researchers discovered additional samples of the FreeBSD encryptor, confirming its functionality. They pointed out the strategic choice of FreeBSD, emphasizing its prevalence in critical systems, where attacks can cause widespread disruption.
Although the FreeBSD version presented challenges during analysis, Interlock’s Windows encryptor functions effectively. It clears event logs and, if configured, uses rundll32.exe to delete the binary after execution. The ransomware adds an “.interlock” extension to encrypted files and creates ransom notes named “!README!.txt” in affected folders.
These notes provide basic information about the encryption, threats, and links to Tor-based negotiation and data leak sites. Each victim is given a unique ‘Company ID’ for communicating with the attackers via a chat system.
Ilia Sotnikov, security strategist at Netwrix, advises organizations to deploy multi-layered security measures, including network and web application firewalls, intrusion detection systems and phishing defenses to prevent initial breaches.
“The ransomware group Interlock recently attacked organizations around the world, taking the unusual approach of creating an encryptor that targeted FreeBSD servers. The FreeBSD operating system is known for its reliability and is therefore often used for critical functions. Examples include web hosting, mail servers and storage systems, all potentially lucrative targets for the attackers. Depending on the function and configuration, the server may or may not be directly connected to the Internet,” Sotnikov said.
“Security teams must invest in defense in depth, to interrupt a potential attack at an early stage, complicate each subsequent step for the attacker, and detect the potentially malicious activity as quickly as possible using monitoring tools… Since the adversary most likely to access the FreeBSD server from the network, it may be a good idea to minimize standing privileges by implementing the zero trust principle, which gives a user only the necessary permissions to perform their tasks feed,” added Sotnikov added.
Via BleepingComputer