In late September 2024, a new ransomware operation called Interlock emerged, targeting organizations worldwide with an unusual approach. Instead of focusing on popular operating systems like Windows or Linux, Interlock specifically targets FreeBSD servers, leaving cybersecurity experts stunned.

The First Victim: Wayne County, Michigan

One of the earliest reported victims was Wayne County, Michigan, which suffered a cyberattack in early October 2024. The attack is believed to have been perpetrated by Interlock, which has since claimed responsibility for six organizations and published stolen data on its data leak site after a ransom was not paid.

Unveiling the FreeBSD Encryptor

Incident responders and cybersecurity researchers began to unravel the mystery of Interlock’s attack in early October 2024. Simo, an incident responder, discovered a new backdoor deployed during an Interlock ransomware incident.

Key Findings

• A new backdoor was found to be part of the Interlock operation.
• MalwareHuntTeam discovered a Linux ELF encryptor believed to be part of the Interlock operation.
• The FreeBSD ELF encryptor is specifically compiled for FreeBSD 10.4.
• The executable file indicated that it was statically linked and had a unique BuildID.

The FreeBSD ELF Encryptor

After sharing the sample with BleepingComputer, researchers tested it on a virtual machine and discovered that it was compiled specifically for FreeBSD 10.4. The code was:

c
#include 
#include 

int main() {
    // Code to encrypt files goes here
}

However, when testing the sample on a FreeBSD virtual machine, BleepingComputer encountered issues executing the code.

A Rare Attack Vector

The fact that Interlock created an encryptor specifically for FreeBSD servers is rare, as most ransomware operations focus on popular operating systems like Linux or Windows. The only other known operation to create FreeBSD encryptors was the now-defunct Hive ransomware operation, which was disrupted by the FBI in 2023.

Trend Micro Unveils Additional Samples

This week, researchers from cybersecurity firm Trend Micro shared additional samples of the FreeBSD ELF encryptor and a Windows encryptor. According to Trend Micro:

“The threat actors targeted FreeBSD as it’s widely utilized in servers and critical infrastructure,” explains Trend Micro. “Attackers can disrupt vital services, demand hefty ransoms, and coerce victims into paying.”

Windows Encryptor Capabilities

The Windows encryptor, which was tested successfully on a virtual machine, clears Windows event logs and uses a DLL to delete the main binary using rundll32.exe. When encrypting files, Interlock appends the .interlock extension to all encrypted file names and creates a ransom note in each folder.

Ransom Note and Data Leak Sites

The ransom note is named !__README__!.txt and describes what happened to the victim’s files, makes threats, and links to the Tor negotiation and data leak sites. Each victim has a unique “Company ID” used along with an email address to register on the threat actor’s Tor negotiation site.

Double-Extortion Tactics

During attacks, Interlock breaches a corporate network, steals data from servers, and spreads laterally to other devices before deploying the ransomware to encrypt all files. The stolen data is then used in a double-extortion attack, where the threat actors threaten to publicly leak it if a ransom is not paid.

Ransom Demands

BleepingComputer reports that Interlock demands ransoms ranging from hundreds of thousands of dollars to millions, depending on the size of the organization.