Interlock is a double-extortion ransomware family grabbing headlines. CISA’s fresh #StopRansomware advisory links the group to drive-by downloads, fake browser updates and abused remote-management tools that let attackers slip inside networks, encrypt data and threaten public leaks. My years at Cisco Talos gave me an early view of these tradecraft shifts, and Talos’ own research largely appears to be the basis for CISA’s warning.
CISA’s first mitigation is simple: filter malicious domains at the DNS layer. ThreatSTOP delivers exactly that through our Protective DNS services:
DNS Defense Cloud lets you point resolvers to our cloud service and block known-bad queries automatically.
DNS Defense places the same intelligence on your own resolvers, keeping traffic local while staying protected.
When Interlock tries to phone home for instructions or payloads, the query never leaves your resolver.
Interlock pivots fast, moving from HTTP to RDP to raw IP traffic. IP Defense pushes identical threat intelligence to routers, firewalls, IPS sensors and AWS WAF. Malicious packets hit a deny rule before touching your hosts, giving you uniform protection no matter the protocol.
The advisory highlights attacker reliance on AnyDesk, Cobalt Strike and ScreenConnect for command-and-control and lateral movement. ThreatSTOP’s Application Controls make mitigation immediate. Add these tools to your policy with a single click and every protected resolver, router and firewall enforces the decision within minutes.
Our Security, Intelligence and Research team curates thousands of proprietary and third-party feeds covering command and control, invalid traffic, peer-to-peer tunnelling, data exfiltration, phishing, spam, Distributed Denial of Service activity and more. Updates flow to your enforcement points continually, so you stay ahead of emerging threats like Interlock.
Cisco Talos measured Interlock’s dwell time, Azure-based data exfiltration and FreeBSD encryptor variants. That insight now informs the indicators and rules our team ships daily, so ThreatSTOP customers convert leading research into real-time blocks without lifting a finger.
|
Tactic |
Technique |
How ThreatSTOP disrupts it |
|---|---|---|
|
Initial Access |
T1189 Drive-By Compromise |
Protective DNS blocks malicious update domains |
|
Execution |
T1059.001 PowerShell |
IP Defense denies known script-hosting IPs |
|
Persistence |
T1547.001 Startup Items |
Application Controls disable AnyDesk autostart |
|
Credential Access |
T1555.003 Browser Credential Theft |
DNS sinkholes stealer C2 endpoints |
|
Lateral Movement |
T1021.001 RDP |
IP Defense blocks attacker jump servers |
|
Command & Control |
TA0011 Remote Tooling |
One-click blocks for Cobalt Strike, AnyDesk, ScreenConnect |
|
Exfiltration |
T1567.002 Azure Blob |
Resolver policy denies Storage Explorer hostnames |
|
Impact |
T1486 Data Encryption |
Early DNS and IP blocks prevent payload retrieval |
For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers. Get started with a demo today!
Connect with Customers, Disconnect from Risks