Unwrapping the emerging Interlock ransomware attack

    Friday, November 8, 2024 In: Threat Research Print

    Date: 11/08/2024

    Severity: Medium

    Summary

    "Unwrapping the Emerging Interlock Ransomware Attack" explores the rise of the Interlock ransomware, a new and increasingly sophisticated cyber threat. The article examines how this ransomware operates, its tactics, and the potential risks it poses to organizations. Interlock is known for its highly targeted attacks, often focusing on critical infrastructure and sensitive industries. The ransomware is designed to encrypt files and demand a ransom, but it also has unique features that make it stand out from other ransomware variants, such as a focus on data exfiltration and the use of complex encryption methods. The article also discusses strategies for detection and mitigation, emphasizing the growing need for proactive cybersecurity measures to defend against this emerging threat.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://rvthereyet.com/wp-admin/images/rsggj.php

    https://apple-online.shop/ChromeSetup.exe

    http://23.95.182.59/31279geuwtoisgdehbiuowaehsgdb/cht

    http://23.95.182.59/31279geuwtoisgdehbiuowaehsgdb/klg

    IP Address

    23.95.182.59

    195.201.21.34

    159.223.46.184

    Hash

    c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f

a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642

e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "https://rvthereyet.com/wp-admin/images/rsggj.php" or url like "https://rvthereyet.com/wp-admin/images/rsggj.php" or userdomainname like "https://apple-online.shop/ChromeSetup.exe" or url like "https://apple-online.shop/ChromeSetup.exe" or userdomainname like "http://23.95.182.59/31279geuwtoisgdehbiuowaehsgdb/cht" or url like "http://23.95.182.59/31279geuwtoisgdehbiuowaehsgdb/cht" or userdomainname like "http://23.95.182.59/31279geuwtoisgdehbiuowaehsgdb/klg" or url like "http://23.95.182.59/31279geuwtoisgdehbiuowaehsgdb/klg"

    Detection Query 2

    dstipaddress IN ("23.95.182.59","195.201.21.34","159.223.46.184") or ipaddress IN ("23.95.182.59","195.201.21.34","159.223.46.184") or publicipaddress IN ("23.95.182.59","195.201.21.34","159.223.46.184") or srcipaddress IN ("23.95.182.59","195.201.21.34","159.223.46.184")

    Detection Query 3

    sha256hash IN ("c9920e995fbc98cd3883ef4c4520300d5e82bab5d2a5c781e9e9fe694a43e82f","a26f0a2da63a838161a7d335aaa5e4b314a232acc15dcabdb6f6dbec63cda642","e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1")

    Reference: 

    https://blog.talosintelligence.com/emerging-interlock-ransomware/ 


    Tags

    MalwareRansomwareExfiltration

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.