- Standing privilege can be minimized using the zero trust principle
- Critical servers can be protected by enabling just-in-time access
- FreeBSD jails can help to isolate workloads and enhance defense
A recently discovered ransomware group has been observed targeting organizations with a focus on FreeBSD servers.
Launched in late September 2024, the operation employs a unique approach, using an encryptor specifically designed for FreeBSD.
Interlock has already claimed attacks on six organizations, including Wayne County, Michigan, which experienced a cyberattack in October 2024.
Interlock’s FreeBSD encryptor sets it apart
Initial information about Interlock came from cybersecurity professionals Simo and MalwareHunterTeam, who analyzed samples of the ransomware.
Interlock’s attack method involves breaching corporate networks, stealing data, spreading laterally to other devices, and encrypting files. The attackers use double-extortion tactics and threats of leaking stolen data unless ransom demands, ranging from hundreds of thousands to millions of dollars, are paid.
Unlike other ransomware groups that typically target Linux-based VMware ESXi servers, Interlock’s focus on FreeBSD encryptors makes it particularly unique. FreeBSD’s extensive use in critical infrastructure and servers makes it a prime target for disrupting vital services and pressuring victims to pay substantial ransoms.
The FreeBSD encryptor was compiled specifically for FreeBSD 10.4 and is a 64-bit ELF executable. However, testing the sample on both Linux and FreeBSD virtual machines proved challenging, as it failed to execute properly in controlled environments.
Despite this, Trend Micro researchers discovered additional samples of the FreeBSD encryptor, confirming its functionality. They noted the strategic choice of FreeBSD, highlighting its prevalence in critical systems, where attacks can cause widespread disruption.
While the FreeBSD version has presented challenges during analysis, Interlock’s Windows encryptor functions effectively. It clears event logs and, if configured, uses rundll32.exe to delete its binary after execution. The ransomware appends a “.interlock” extension to encrypted files and creates ransom notes named “!README!.txt” in affected folders.
These notes provide basic information about the encryption, threats, and links to Tor-based negotiation and data leak sites. Each victim receives a unique “Company ID” for communication with the attackers via a chat system.
Ilia Sotnikov, Security Strategist at Netwrix, advises organizations to deploy multi-layered security measures, including network and web application firewalls, intrusion detection systems, and phishing defenses to prevent initial breaches.
“The ransomware group Interlock has recently been attacking organizations worldwide, taking the unusual approach of creating an encryptor to target FreeBSD servers. The FreeBSD operating system is known for its reliability and is therefore commonly used for critical functions. Examples include web hosting, mail servers, and storage systems, all potentially lucrative targets for the attackers. Depending on the function and the configuration, the server may or may not be directly connected to the Internet, “ said Sotnikov.
“Security teams should invest in defence-in-depth, to disrupt a potential attack at an early stage, complicate each further step for the attacker, and detect the potentially harmful activity as quickly as possible with the help of monitoring tools…Since the adversary is most likely to access the FreeBSD server from inside the network, it may be a good idea to minimize standing privilege by implementing the zero trust principle, which allows a user only the necessary permissions to perform their tasks,” Sotnikov added.
Via BleepingComputer
Leave a comment