Interlock Ransomware Attacking Defense Contractors and Their Supply Chains

A dangerous ransomware operation dubbed Interlock has escalated its focus on defense contractors and their supply chains, jeopardizing sensitive military logistics, intellectual property, and national security.

First observed in September 2024, the group employs “big-game hunting” tactics-targeting high-value organizations-and double extortion, stealing data before encrypting systems.

Recent victims include AMTEC, a U.S.-based manufacturer of lethal ammunition for military and law enforcement, and its parent company, National Defense Corporation (NDC).

Resecurity analysts confirmed that Interlock’s data leak site, “Worldwide Secrets Blog,” now hosts classified documents referencing contracts with the U.S. Department of Defense (DoD), Raytheon, and Thales, among others.

Interlock’s shift toward defense sector targets aligns with geopolitical tensions.

The group leverages global conflicts as cover for espionage, often exfiltrating shipment schedules, warehouse locations, and engineering blueprints.

For example, leaked logistics data included a 2018 DoD contract for M739A1 fuzes bound for Yuma Proving Ground, detailing transportation codes and personnel contacts.

Such breaches enable adversaries to disrupt supply chains or redirect shipments during transit.

Resecurity researchers noted that Interlock’s operators likely collaborate with nation-state actors, blurring the line between cybercrime and state-sponsored espionage.

The ransomware’s technical sophistication lies in its hybrid approach. While Interlock avoids deploying encryption binaries in recent campaigns-opting for pure data theft-it employs Living-off-the-Land (LotL) techniques to evade detection.

Attackers use legitimate tools like PowerShell and Windows Management Instrumentation (WMI) to execute malicious scripts, as seen in the AMTEC breach.

Evasive Scripting and Credential Harvesting

Interlock’s initial access often stems from phishing campaigns impersonating logistics partners or compromised third-party vendors.

Once inside, attackers deploy custom PowerShell scripts to disable security tools. For instance, the following script-recovered from an infected AMTEC subsidiary-terminates Windows Defender processes:-

Get-Service WinDefend | Stop-Service -Force  
Set-MpPreference -DisableRealtimeMonitoring $true  
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -Force  

Resecurity’s analysis revealed that Interlock actors then use Mimikatz to dump credentials from lsass.exe, enabling lateral movement.

A scheduled task named “WindowsUpdateSync” is created to maintain persistence, executing a Base64-encoded payload that connects to Interlock’s command-and-control (C2) server at 212.237.217[.]182.

The group also exploits unpatched vulnerabilities in enterprise VPNs and Microsoft Exchange servers. In one case, attackers weaponized CVE-2024-21407, a critical privilege escalation flaw in Windows Kernel, to gain SYSTEM privileges.

Post-exploitation, data exfiltration occurs via TLS-encrypted channels to cloud storage platforms like Mega.nz, bypassing traditional network monitoring.

Interlock’s focus on defense contractors underscores the vulnerability of global military supply chains.

leaked shipment records, such as those referencing Turkmenistan’s Ministry of Defense, risk altering geopolitical power dynamics.

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) framework mandates robust access controls and incident response plans, but many contractors remain non-compliant.

Resecurity urges organizations to:-

1. Audit third-party vendor access and enforce Zero Trust principles.
2. Monitor for anomalous PowerShell/WMI activity and credential-harvesting tools.
3. Apply patches for CVE-2024-21407 and similar vulnerabilities immediately.

How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers