The Interlock ransomware group has become a significant cybersecurity threat, focusing on educational institutions in the US and UK. This group distinguishes itself by not adhering to the common Ransomware-as-a-Service (RaaS) model but rather operating as a smaller, independent team.
Unlike larger operations, Interlock develops and manages its own malware, maintaining control over their entire attack strategy. Their operations display a high degree of sophistication, initiating attacks through MintLoader infections often facilitated by ‘ClickFix’ social engineering tactics.
Advanced Attack Techniques
Upon infiltrating a system, usually with the help of a JavaScript implant known as NodeSnakeRAT, the attackers proceed to move laterally through the network. They utilize legitimate user accounts and existing system utilities to maintain persistence and thoroughly explore the compromised environment. The consequences of such an intrusion are devastating, as it typically results in both the encryption and theft of sensitive data.
The group employs tools like AZcopy to transfer large volumes of data to cloud storage before unleashing their ransomware, employing a double-extortion approach. This ensures leverage over victims, even when backups are available.
Security Evasion Tactics
According to Fortinet analysts, Interlock uses a specialized array of tools to disable security protocols after gaining access. This capability allows for the seamless execution of ransomware on both Windows and Nutanix hypervisor platforms without interference.
One of their key tools, dubbed ‘Hotta Killer,’ is designed to disable Endpoint Detection and Response (EDR) and antivirus (AV) systems. This tool leverages a ‘Bring Your Own Vulnerable Driver’ (BYOVD) method, exploiting a zero-day vulnerability in a legitimate gaming anti-cheat driver.
Exploiting Zero-Day Vulnerabilities
The gaming driver vulnerability, identified as CVE-2025-61155, enables Interlock to execute privileged operations by using a renamed version of the driver, thereby subverting security measures. The ‘Hotta Killer’ tool, implemented as a DLL file, is injected into system processes to conceal its actions. It creates symbolic links to interact with the compromised driver, targeting security software processes for termination by passing their Process IDs to the driver.
To counter such threats, organizations should enforce strict policies against unauthorized remote access software and limit workstation-to-workstation SMB and RDP connections. Additionally, blocking outbound PowerShell network activities can hinder the download of malicious software.
For more updates, follow us on Google News, LinkedIn, and X, and set CSN as a preferred source on Google.
