A new ransomware group, Interlock, has recently targeted organisations focusing on FreeBSD servers. The operation began in late September 2024 and used a unique encryptor designed for FreeBSD systems, setting it apart from other ransomware attacks.
The Interlock ransomware and its FreeBSD focus
Interlock has already claimed attacks on several organisations, including Wayne County, Michigan, which fell victim to a cyberattack in October 2024. The ransomware’s distinctive feature is its use of an encryptor designed specifically for FreeBSD, an operating system widely used in critical infrastructure.
1/2 During last ransomware IR (new Interlock).I’ve found what it seems to be "Supper" backdoor (that name come from few AV vendors).The TA used multiple versions of that backdoor , a dll executed via rundll32.The dll is packed and I’ve dumped it with pe-sieve (🙏 @hasherezade).
— Simo (@nembo81pr) October 2, 2024
"start.old", looks Interlock gang’s x64 Linux ransomware sample: e86bb8361c436be94b0901e5b39db9b6666134f23cce1e5581421c2981405cb1
— MalwareHunterTeam (@malwrhunterteam) October 9, 2024
🤔 pic.twitter.com/vKx2nGMuUB
Cybersecurity experts Simo and MalwareHunterTeam, who analysed samples of the ransomware, uncovered the initial details of the attack. Interlock’s attack method follows a typical ransomware pattern: the attackers breach corporate networks, steal sensitive data, and spread to other devices, encrypting files along the way. They use double-extortion tactics, threatening to leak stolen data unless the victim pays a ransom, which can range from hundreds of thousands to millions of dollars.
Why FreeBSD is a prime target
What makes Interlock particularly unique is its focus on FreeBSD, a choice that highlights the importance of this operating system in critical systems. Unlike other ransomware groups that often target Linux-based VMware ESXi servers, Interlock aims directly at FreeBSD servers, common in web hosting, mail servers, and storage systems. These systems are integral to critical functions, making them lucrative targets for attackers.
While FreeBSD’s popularity in essential services makes it an attractive target, its focus also challenges cybersecurity professionals. The FreeBSD encryptor, explicitly compiled for FreeBSD 10.4, is a 64-bit ELF executable. However, executing in controlled environments on both Linux and FreeBSD virtual machines proved difficult during initial testing. Despite these hurdles, Trend Micro researchers discovered further samples of the encryptor, confirming its functionality and strategic focus.
Advice for organisations to improve security
Interlock’s attack highlights the need for stronger security measures across critical infrastructure. Ilia Sotnikov, a Security Strategist at Netwrix, advises organisations to implement multi-layered security strategies. These should include network and web application firewalls, intrusion detection systems, and phishing defences to prevent initial breaches.
Sotnikov explains, “The FreeBSD operating system is known for its reliability and is commonly used for critical functions. Examples include web hosting, mail servers, and storage systems, all potentially lucrative targets for the attackers. Depending on the configuration, the server may or may not be directly connected to the Internet.”
Sotnikov recommends investing in defence-in-depth strategies to disrupt attacks early and complicate the attacker’s actions. He also stresses the importance of monitoring tools to detect harmful activity quickly. A key recommendation is to implement the zero-trust principle, which ensures that users only have the minimum necessary permissions to perform their tasks, minimising the risk of internal breaches.
The Interlock ransomware group’s attacks are a stark reminder of the vulnerabilities within critical infrastructure. Its use of a FreeBSD-specific encryptor marks a troubling development in ransomware tactics, underscoring the need for robust security measures to protect against this growing threat. Organisations should prioritise improved security strategies to mitigate the risk and impact of such cyberattacks.
