MOXFIVE has identified INTERLOCK, a newly emerging ransomware variant, currently targeting organizations in the Healthcare sector. This group has shown a focus on virtual environments, leveraging tactics to compromise systems and disrupt operations. Notably, INTERLOCK initiates command-and-control (C2) through a scheduled task over an anonymized network, adding to its stealth and sophistication. As INTERLOCK makes its debut, it highlights the need for continuous vigilance in vulnerability management across healthcare systems.
‍
What We Know:

• Target Industry: Healthcare
• Suspected Entry Point:  Exploited vulnerability
• Attack Scope:  Only targeted virtual machines (VMs), leaving workstations and physical servers unaffected.
• Tactics:  Shutdown and encrypted virtual disk file (VMDKs) via VMWare's ESXi hypervisors, followed by changing the root password on ESXi hosts.
• Backup Strategy:  Deleted local backups to hinder recovery efforts.
• Command & Control (C2): Initiated via a scheduled task over an anonymized network using a reverse shell for communication.

Protecting Against INTERLOCK Ransomware: ‍

• Prioritize patch management to address unknown vulnerabilities.
• Ensure multifactor authentication (MFA) and strong access controls are in place.
• Regularly back up critical data and ensure backups are stored offline to prevent encryption by ransomware.
• Deploy endpoint detection and response (EDR) solutions to monitor for suspicious activity.

MOXFIVE is continuing to monitor this new ransomware activity as it unfolds and will continue to update this page if new information emerges. If you need assistance with a current incident, please contact us at 833-568-6695 or email our team at incident@moxfive.com.