Interlock Ransomware: New Techniques, Same Old Tricks
Summary:
A recent investigation by FortiGuard Labs highlights the evolving tactics of the Interlock ransomware group, a non-Ransomware-as-a-Service (RaaS) entity that maintains exclusive control over its malware development and operations. The group recently targeted a North American educational institution, utilizing a multi-phase intrusion strategy that began with a MintLoader infection to deploy "NodeSnakeRAT" (also known as CORNFLAKE). Over several months, the actors maintained a low-profile persistence before escalating to data exfiltration and the deployment of a novel "Bring Your Own Vulnerable Driver" (BYOVD) tool dubbed "Hotta Killer." This tool exploits a zero-day vulnerability in a gaming anti-cheat driver to disable Endpoint Detection and Response (EDR) and antivirus solutions. The intrusion culminated in the encryption of Windows and Nutanix environments, using a custom ransomware variant that appended unique extensions such as .gif and .!nt3rlock.
Beyond the initial infection, the group demonstrated a sophisticated approach to data theft by utilizing legitimate administrative tools to blend in with normal network traffic. During the later stages of the campaign, the threat actors employed AZcopy to exfiltrate massive volumes of sensitive data to attacker-controlled infrastructure. This exfiltration process was highly targeted, focusing on specific file types and directories while avoiding system files that might trigger stability alerts or early detection. The operation’s final phase involved lateral movement via RDP and the use of PsExec to distribute the ransomware payload across the broader network, showcasing a seamless transition from long-term espionage to high-impact financial extortion.
Security Officer Comments:
It is critical to recognize that Interlock’s shift away from the RaaS model suggests a more disciplined and potentially stealthier adversary. Their use of "Hotta Killer" to blind security products represents a significant escalation in technical capability, specifically targeting the very tools our IT teams rely on for visibility. For our sector, this means that "silence" from an EDR console may no longer indicate a clean environment; it could instead signal a successful bypass. The extended "dwell time" observed—where the actors remained dormant for months, indicates they are patient and likely waiting for optimal windows of network activity to move laterally. Organizations across our broad membership, particularly those in education and critical infrastructure, should assume that sophisticated actors are increasingly targeting secondary or unmanaged endpoints to gain a foothold before jumping to core application servers.
Suggested Corrections:
FortiGaurd Labs has published the following mitigations:
Despite some notable deviations in this intrusion flow compared to intrusions associated with the more common Ransomware-as-a-Service (RaaS) affiliates, the practical recommendations for mitigating intrusions or detecting intrusions continue to align with best practices. The following three recommendations below do not require significant resource investment to implement and offer extremely high ROI in the context of the wider ransomware threat.
Link(s):
https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks
A recent investigation by FortiGuard Labs highlights the evolving tactics of the Interlock ransomware group, a non-Ransomware-as-a-Service (RaaS) entity that maintains exclusive control over its malware development and operations. The group recently targeted a North American educational institution, utilizing a multi-phase intrusion strategy that began with a MintLoader infection to deploy "NodeSnakeRAT" (also known as CORNFLAKE). Over several months, the actors maintained a low-profile persistence before escalating to data exfiltration and the deployment of a novel "Bring Your Own Vulnerable Driver" (BYOVD) tool dubbed "Hotta Killer." This tool exploits a zero-day vulnerability in a gaming anti-cheat driver to disable Endpoint Detection and Response (EDR) and antivirus solutions. The intrusion culminated in the encryption of Windows and Nutanix environments, using a custom ransomware variant that appended unique extensions such as .gif and .!nt3rlock.
Beyond the initial infection, the group demonstrated a sophisticated approach to data theft by utilizing legitimate administrative tools to blend in with normal network traffic. During the later stages of the campaign, the threat actors employed AZcopy to exfiltrate massive volumes of sensitive data to attacker-controlled infrastructure. This exfiltration process was highly targeted, focusing on specific file types and directories while avoiding system files that might trigger stability alerts or early detection. The operation’s final phase involved lateral movement via RDP and the use of PsExec to distribute the ransomware payload across the broader network, showcasing a seamless transition from long-term espionage to high-impact financial extortion.
Security Officer Comments:
It is critical to recognize that Interlock’s shift away from the RaaS model suggests a more disciplined and potentially stealthier adversary. Their use of "Hotta Killer" to blind security products represents a significant escalation in technical capability, specifically targeting the very tools our IT teams rely on for visibility. For our sector, this means that "silence" from an EDR console may no longer indicate a clean environment; it could instead signal a successful bypass. The extended "dwell time" observed—where the actors remained dormant for months, indicates they are patient and likely waiting for optimal windows of network activity to move laterally. Organizations across our broad membership, particularly those in education and critical infrastructure, should assume that sophisticated actors are increasingly targeting secondary or unmanaged endpoints to gain a foothold before jumping to core application servers.
Suggested Corrections:
FortiGaurd Labs has published the following mitigations:
Despite some notable deviations in this intrusion flow compared to intrusions associated with the more common Ransomware-as-a-Service (RaaS) affiliates, the practical recommendations for mitigating intrusions or detecting intrusions continue to align with best practices. The following three recommendations below do not require significant resource investment to implement and offer extremely high ROI in the context of the wider ransomware threat.
- Block the execution of known remote access software explicitly where it is not required to meet standard business needs. Where remote access software is required, scope exclusions to allow legitimate use. As with any type of block, create a detection rule to identify any attempted use of remote access software and monitor it as a high priority. This functionality can be implemented through any suitable EDR1 solution and should be considered essential basic EDR functionality. It may also be implemented through a suitable NGFW2.
Intrusion Impact: Force adversaries to operate using less functional, more overt accesses to slow down the intrusion, reduce efficacy, increase the likelihood of detectable behavior by the adversary and their tooling, and increase the effective defender response window. - Block workstation-to-workstation SMB and RDP connections. There is a very limited need to use workstation-to-workstation SMB or RDP, and organizations who have business or administrative processes that require this behavior should develop alternative solutions that align with modern administrative best practices. These blocks can be established using the Windows firewall to block inbound SMB and RDP connections on any endpoints that are not domain controllers, SMB file servers, or hosting SMB shares for core business needs. High-priority alerts should be built around workstation-to-workstation SMB and RDP connection attempts. There are very limited false positives associated with this activity.
Intrusion Impact: Blocks to common lateral movement pathways used for large scale ransomware deployment and lateral movement increases the time to impact, minimizes the breadth of impact, creates detection opportunities, and increases the effective defender response window. - Block outbound PowerShell network connections. There is very limited need for standard users within a corporate network to perform web requests using PowerShell. However, this technique was employed as part of the initial loader that started this campaign and is a common part of other ClickFix3 and FileFix4 infections. Blocking all outbound connections associated with PowerShell and PowerShell_ISE and implementing high-priority alerts for this behavior is effective at mitigating these prevalent initial access techniques. Like the previous recommendation, this change can be easily implemented at a basic level using the Windows firewall.
Intrusion Impact: Denies adversary the ability to use basic PowerShell download cradles to establish an initial foothold in a network, preventing initial access and notification of a current campaign that may be targeting the organization so defenders can identify other potential victims.
Link(s):
https://www.fortinet.com/blog/threat-research/interlock-ransomware-new-techniques-same-old-tricks