Interlock Ransomware Campaign Targeting Enterprise Firewalls

The Interlock ransomware campaign specifically targets enterprise firewalls. The campaign’s objective is to encrypt sensitive data residing on or accessible through these firewalls, rendering systems inoperable and creating significant business disruption. While specific details about the initial discovery and scope of the campaign remain limited, its focus on firewalls suggests a targeted approach aimed at organizations heavily reliant on these devices for network security and perimeter defense. The lack of specific details about delivery mechanisms and exploited vulnerabilities underscores the need for proactive threat hunting and vulnerability management to detect and mitigate potential Interlock ransomware infections.

Attack Chain

1. Initial Access: The attacker gains initial access to the targeted network, potentially through exploiting vulnerabilities in the firewall’s management interface or VPN services.
2. Firewall Compromise: The attacker exploits the initial access to compromise the firewall device. This may involve exploiting known vulnerabilities or using stolen credentials.
3. Lateral Movement: The attacker uses the compromised firewall as a pivot point to move laterally within the internal network. Tools like ssh or PsExec may be used.
4. Discovery: The attacker performs reconnaissance to identify valuable data stores accessible through the firewall. This may involve scanning network shares or querying databases.
5. Privilege Escalation: The attacker attempts to escalate privileges to gain administrative access to critical systems. This could involve exploiting vulnerabilities or using credential harvesting techniques.
6. Data Encryption: The attacker deploys the Interlock ransomware payload to encrypt sensitive data on systems accessible via the firewall.
7. Ransom Demand: After encryption, the attacker delivers a ransom note demanding payment for decryption keys.
8. Exfiltration (Possible): Depending on the attacker’s goals, data exfiltration may occur prior to encryption.

Impact

A successful Interlock ransomware attack can lead to significant data loss, business disruption, and financial damage. Organizations can suffer reputational damage and legal repercussions due to data breaches. The targeted nature of the attack suggests a focus on organizations where firewall compromise would have a widespread impact, potentially affecting hundreds or thousands of users or customers.

Recommendation

• Enable enhanced logging on all enterprise firewalls to capture detailed activity, including login attempts, configuration changes, and network traffic. This enhances the effectiveness of the detection rules below.
• Implement multi-factor authentication (MFA) for all firewall administrative access to mitigate the risk of credential theft.
• Regularly patch and update firewall firmware to address known vulnerabilities.
• Deploy the Sigma rules provided in this brief to your SIEM and tune for your environment.