- Permanent privilege can be minimized using the zero trust principle
- Critical servers can be protected by enabling just-in-time access
- FreeBSD jails can help isolate workloads and improve defense
A recently discovered ransomware group has been observed targeting organizations focused on FreeBSD servers.
Launched in late September 2024, the operation employs a unique approach: it uses a cipher designed specifically for FreeBSD.
Interlock has already claimed responsibility for attacks against six organizations, including Wayne County, Michigan, which suffered a cyberattack in October 2024.
Interlock’s FreeBSD Cipher Sets It Apart
Initial information about Interlock came from cybersecurity professionals Simo and MalwareHunterTeam, who analyzed samples of the ransomware.
Interlock’s attack method involves breaching corporate networks, stealing data, spreading laterally to other devices, and encrypting files. Attackers use double extortion tactics and threats to leak stolen data unless ransom demands, ranging from hundreds of thousands to millions of dollars, are paid.
Unlike other ransomware groups that typically target Linux-based VMware ESXi servers, Interlock’s focus on FreeBSD encryptors makes it particularly unique. FreeBSD’s extensive use on critical infrastructure and servers makes it a prime target for disrupting vital services and pressuring victims to pay substantial ransoms.
The FreeBSD cipher was compiled specifically for FreeBSD 10.4 and is a 64-bit ELF executable. However, testing the sample on Linux and FreeBSD virtual machines proved challenging as it did not run properly in controlled environments.
Despite this, Trend Micro researchers discovered additional samples of the FreeBSD cipher, confirming its functionality. They highlighted the strategic choice of FreeBSD, highlighting its prevalence in critical systems, where attacks can cause widespread outages.
While the FreeBSD version has presented challenges during analysis, Interlock’s Windows encryptor works effectively. Clears event logs and, if configured, uses rundll32.exe to remove its binary after execution. The ransomware adds an “.interlock” extension to the encrypted files and creates ransom notes called “!README!.txt” in the affected folders.
These notes provide basic information about encryption, threats, and links to Tor-based trading and data leak sites. Each victim is given a unique “company ID” to communicate with attackers through a chat system.
Ilia Sotnikov, security strategist at Netwrix, advises organizations to implement multi-layered security measures, including network and web application firewalls, intrusion detection systems, and phishing defenses to prevent initial breaches.
“The Interlock ransomware group has recently been attacking organizations around the world, taking the unusual approach of creating an encryptor targeting FreeBSD servers. The FreeBSD operating system is known for its reliability and is therefore commonly used for critical functions. Examples include web hosting, mail servers, and storage systems, all potentially lucrative targets for attackers. Depending on the function and configuration, the server may or may not be directly connected to the Internet,” Sotnikov said.
“Security teams must invest in defense in depth, to disrupt a potential attack at an early stage, complicate each additional step of the attacker and detect potentially harmful activity as quickly as possible with the help of monitoring tools… Given “If the adversary is more likely to access the FreeBSD server from within the network, it may be a good idea to minimize permanent privileges by implementing the zero trust principle, which allows the user only the permissions necessary to perform their tasks,” he added. Sotnikov.
Through beepcomputer
