Close Menu
Cybercrime and Ransomware

Interlock and Rhysida Ransomware Operations Share Backdoor and Malware Codebase

Staff WriterBy No Comments4 Mins Read0 Views

Fast Facts

  1. Shared Backdoor and Code: Interlock and Rhysida ransomware groups both use the Supper backdoor, sharing similar malware code and command structures, indicating a close development link or trusted collaboration.

  2. Operational Similarities and Origins: Both groups rely on trojanized software installers with fraudulent certificates, employ a variety of malware tools like NodeSnake and InterlockRAT, and most victims are in the US within sectors like healthcare, education, and government.

  3. Indicators and Techniques: They utilize traffic distribution, fake update prompts, and custom policies to disable defenses, with code analysis revealing structural similarities suggesting they were built by the same or closely related developers.

  4. Implications and Threat Level: The convergence in tools and tactics suggests a potentially shared development team or controlled code exchange, emphasizing the need for organizations to monitor suspicious signed executables, remote access use, and browser prompts for early detection.

The Issue

Recent research reveals a troubling connection between two active ransomware groups, Interlock and Rhysida. Although they operate independently—Interlock since September 2024 and Rhysida since May 2023—both groups use a shared backdoor called Supper. This backdoor, first identified in July 2024, allows persistent access, encrypted tunnels, and remote command execution, and is found in incidents linked to both groups. The investigation, conducted over two years by IBM X-Force, shows these groups have considerable code similarities and often rely on trojanized software for initial entry, such as fake updates or fake Microsoft Teams installers.

The fact that these operations share tools and infrastructure suggests either a common development team or a trusted exchange of code, which complicates efforts to track and combat them. Moreover, the groups target similar sectors, primarily in the United States, including healthcare, education, and government agencies. Reporters from IBM X-Force and Cisco Talos have highlighted that this code-sharing indicates a deeper collaboration or consolidation within the cybercriminal ecosystem, emphasizing the need for vigilant monitoring and improved defense strategies against such sophisticated threats.

Critical Concerns

The issue titled “Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase” highlights a significant threat that can affect any business. When cybercriminals share malicious tools and codebases, they increase the risk of devastating attacks, such as ransomware infections and backdoors. Consequently, businesses become vulnerable to data theft, operational disruptions, and financial loss. As attackers can easily adapt and spread malware across multiple targets, the potential damage multiplies. Therefore, any organization, regardless of size or industry, must recognize this danger. Without proper cybersecurity measures, your business could face costly downtime, compromised customer trust, and legal liabilities. In short, shared malware resources make malicious attacks more accessible and effective, posing a serious threat to your company’s security and stability.

Fix & Mitigation

Addressing the ‘Interlock and Rhysida Ransomware Operations Share Supper Backdoor and Malware Codebase’ swiftly is critical to preventing extensive damage, data loss, and the potential for ongoing attacks. Timely remediation can limit attack scope, restore safety, and minimize operational downtime.

Containment measures:

  • Isolate affected systems immediately to prevent spread.
  • Disable network connections for compromised devices.

Identification and Analysis:

  • Conduct thorough forensic analysis to understand entry points.
  • Identify all affected files, backdoors, and malware variants.

Eradication Procedures:

  • Remove malicious code and backdoors from infected systems.
  • Apply security patches to close vulnerabilities exploited by attackers.

Restoration Actions:

  • Restore systems from clean, verified backups.
  • Change all relevant passwords and credentials.

Preventive Strategies:

  • Implement multi-factor authentication.
  • Enhance firewall rules and network monitoring.
  • Regularly update and patch software vulnerabilities.

Monitoring and Review:

  • Enforce continuous threat monitoring.
  • Review security policies and response plans for gaps.

A coordinated, rapid response based on these steps is essential to mitigate threats effectively and restore organizational security and confidence.

Explore More Security Insights

Discover cutting-edge developments in Emerging Tech and industry Insights.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.