Unpacking Recent Ransomware Campaigns: Analysis & Detection Strategies

Executive Summary

This report analyzes two active ransomware threats impacting organizations across multiple sectors: Interlock and Black Basta. These ransomware variants reflect the continued evolution of double-extortion tactics and the operational agility of cybercriminal groups.

Interlock is a ransomware-as-a-service (RaaS) operation that has gained attention for distributing payloads through malvertising and fake software installers. It frequently exploits legitimate remote access tools, such as AnyDesk, to establish initial access and persist within victim environments. Interlock actors employ double extortion, stealing sensitive data before encrypting systems and pressuring victims through public leak threats hosted on their leak site.

Black Basta is another RaaS group that emerged in early 2022 and quickly established itself as a major player in the ransomware landscape. The group typically gains access via phishing or compromised credentials and leverages tools such as Cobalt Strike and Mimikatz for lateral movement. Black Basta also employs double extortion and has targeted large enterprises, particularly in healthcare, finance, and manufacturing. Recently, signs of internal fallout within the Black Basta group have surfaced from leaked Telegram chats. This raises the possibility of offshoot groups and rebranding.

RaaS is a growing cybercrime model where developers sell or lease ransomware tools to affiliates, enabling even low-skilled attackers to launch sophisticated attacks. The proliferation of RaaS significantly lowers the barrier to entry for cybercrime. The RaaS model allows ransomware creators to profit without directly executing attacks, while affiliates earn a share of the ransom. As a result, RaaS has contributed to a more organized and scalable cybercriminal ecosystem, increasing threats to businesses, governments, and critical infrastructure worldwide.

Black Basta most commonly targets industries such as construction, law practices, and real estate. Interlock is more opportunistic and attacks a wide range of sectors, with frequent targets including aerospace and defense, banking and financial services, construction, healthcare, and government agencies. Because RaaS allows many different actors to carry out attacks, organizations outside of these industries should also remain vigilant and take precautions.

Analysis: Black Basta

Black Basta has been a major player in the ransomware world since it appeared in early 2022. The group quickly gained a reputation for targeting large enterprises, especially in sectors like healthcare, finance, and manufacturing. They usually gain access through phishing attacks or by exploiting compromised login credentials, which gives them a relatively easy entry point into corporate networks. From there, they use well-known tools like Cobalt Strike and Mimikatz to explore the network and elevate their access, often grooming the environment for widespread and coordinated ransomware deployment. Ransomware groups often disguise Mimikatz by modifying or obfuscating its code to evade antivirus detection. They may also load it in memory using reflective DLL injection, avoiding writing files to disk.

Black Basta’s ransomware binaries are often packed with custom or commercial packers that compress or obfuscate the executable to make analysis harder for antivirus and sandboxing tools. They also employ encryption for payloads and communication with command-and-control servers, as well as encrypting victim files during attacks.

Like Interlock, Black Basta uses double extortion to maximize leverage over their victims. Recently, internal drama within the group has come to light through leaked Telegram chats, hinting at possible tensions or a breakdown in group coordination. This doesn’t mean Black Basta should be discounted. Ransomware groups sometimes splinter, rebrand, and reuse the same code, so the threat may persist in new forms. The leak has given researchers a unique opportunity to see how a ransomware group operates.

Initial Access

• Targeted phishing emails with malicious attachments or links
• QakBot (QBot) as a loader via malspam
• Exploitation of public-facing applications (e.g. CVE-2023-0669 in GoAnywhere MFT)

Lateral Movement & Persistence

• Use of Cobalt Strike or Brute Ratel for post-exploitation
• Abuse of PsExec, WMI, and RDP for lateral movement
• Domain enumeration and privilege escalation via credential dumping (LSASS access)

Payload Execution

• Payload deployment via batch scripts or scheduled tasks
• Encryption process initiated — Black Basta uses hybrid encryption with ChaCha20 and RSA-4096
• File extensions modified
• Ransom note dropped
• Shadow copies deleted
• Can operate in safe mode to evade detection

Known Tools Used

• Backstab
• Brute Ratel
• Cobalt Strike
• Mimikatz
• PsExec / WMI
• QakBot
• Rclone
• SystemBC

Analysis: Interlock

Interlock is a relatively new ransomware threat that’s been making waves with its clever delivery methods and aggressive tactics. Instead of relying on more traditional phishing emails, Interlock operators often use malicious online ads (malvertising) or fake software installers to trick users into downloading their payloads. What makes this ransomware particularly tricky is its use of legitimate tools like AnyDesk to gain remote access. By abusing trusted applications, the attackers can quietly establish a foothold in the victim’s environment without raising immediate red flags.

Once inside, the group doesn’t stop at just encrypting files. They use a double-extortion approach, first stealing sensitive data and then locking systems, threatening to publish the stolen information on their leak site if the ransom isn’t paid. This tactic adds extra pressure on victims, especially organizations concerned about data privacy and reputation damage. Here, we take a closer look at how the Windows version of Interlock operates, including its techniques for persistence, privilege escalation, and lateral movement within compromised networks. The ransomware we analyzed was the Windows variant. Interlock is known to have FreeBSD and Linux ELF variants.

Initial Access

• Targeted phishing emails with malicious attachments (e.g. Office files with macros or embedded links)
• Drive-by downloads from malicious websites or compromised software installers
• Utilizing a social engineering tactic named ClickFix where attackers trick users into running malicious code disguised as legitimate security updates or fixes. This is often done by impersonating IT support.

Lateral Movement & Persistence

After gaining initial access, reconnaissance is conducted using built-in Windows tools (net view, nltest, whoami, etc.). Credential dumping is performed using Mimikatz, followed by lateral movement via PsExec and WMI. Interlock utilizes living-off-the-land binaries (LOLBins) throughout the kill chain.

Persistence is maintained through:

• Creation of Scheduled Tasks
• Installation of services
• Registry Run key modifications (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
• Deployment of Cobalt Strike

Payload Execution

• Payloads are dropped via a macro, loader, or downloaded from a remote C2 server.
• Encryption process initiated — Interlock encrypts files using strong encryption algorithms (e.g. AES with RSA key wrapping).
• File extensions modified
• Ransom note dropped
• Command-and-control beaconing — Some variants may attempt to contact a C2 server to report status or receive additional instructions.

Known Tools Used

• AnyDesk
• AzCopy
• Base64-encoded and AES-encrypted PowerShell scripts
• Cobalt Strike
• Mimikatz
• NodeSnake
• PowerView
• PsExec/WMI
• Rubeus
• SharpHound/BloodHound

Prevention

Preventing ransomware infections from groups like Interlock and Black Basta requires a layered approach that combines technical defenses, user awareness, and proactive threat detection. Interlock often gains access through malvertising and fake software installers, while Black Basta commonly relies on phishing emails or stolen credentials. Blocking these initial attack vectors is essential to reducing risk.

Organizations should enforce application control to prevent the execution of unauthorized or suspicious software, especially those downloaded from untrusted sources. Endpoint protection tools should be configured to flag and block known remote access tools like AnyDesk, frequently abused by Interlock actors. For Black Basta, improving email security through strong spam filtering, attachment scanning, and domain-based message authentication can help prevent phishing-based compromises.

User training remains a critical layer of defense. Regular security awareness programs should teach employees how to recognize phishing attempts, avoid downloading unverified software, and report suspicious activity promptly. Training should emphasize the risks associated with social engineering tactics used by these ransomware groups.

Implementing multi-factor authentication (MFA), regularly patching systems, and limiting administrative privileges are also vital to hinder ransomware operations. Adaptive MFA and hardware tokens (e.g., YubiKeys) offer the strongest protection against ransomware by providing phishing-resistant access control. More basic methods like SMS or one-time passwords offer limited security but are better than nothing. In addition, adopting a Zero Trust security model significantly strengthens prevention by enforcing strict identity verification and access controls. Zero Trust principles reduce the attack surface and limit ransomware’s ability to move laterally or escalate privileges within the environment. This includes reducing or eliminating local admin rights on endpoints, restricting the use of domain admin accounts, and separating duties across service accounts and human users. Admin access should follow the principle of least privilege, be time-bound when possible, and tightly monitored.

Security Information and Event Management (SIEM) systems further strengthen prevention by providing real-time visibility into network activity. A well-configured SIEM can detect early indicators of compromise such as unusual login attempts, lateral movement, or execution of known malicious tools and trigger alerts for rapid response. By correlating log data across endpoints, servers, and network infrastructure, SIEM helps organizations quickly identify and respond to behaviors associated with Interlock and Black Basta before they escalate.

Equally important is having and regularly practicing incident response playbooks to ensure a coordinated and efficient reaction when threats are detected; the NIST playbook available through CISA’s Ransomware Guide provides a strong foundation for developing effective response procedures.

Detections

Detecting ransomware through a SIEM (Security Information and Event Management) platform is a key component of modern threat detection and response. By aggregating and analyzing logs from across an environment, such as endpoint activity, file access patterns, process behavior, and user actions, SIEMs can identify indicators of ransomware attacks including rapid file encryption, ransom note creation, and suspicious process execution. Effective detection relies on well-tuned correlation rules, threat intelligence integration, and visibility into high-fidelity data sources, enabling security teams to respond quickly and limit damage.

Enabling and collecting command line auditing logs significantly enhances SIEM capabilities by capturing detailed command line arguments. It uncovers malicious actions such as encryption commands or ransom note deployment that might otherwise be missed. This level of insight can be achieved through commercial Endpoint Detection and Response (EDR) tools or free solutions like Sysmon, which logs comprehensive process creation details. When integrated with SIEM, command line auditing dramatically improves visibility and detection accuracy, empowering security teams to identify and respond to ransomware threats more effectively.

How to enable free command line auditing:

• https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
• https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing
• https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.5

Example detection T1490 Inhibit System Recovery:

The Black Basta ransomware binary launches a command line to delete shadow copies:

Process creation is logged by Sysmon:

The Sysmon log is ingested by the SIEM:

Detection rule fires and SOC is notified:

Expanded MITRE Coverage

• Ransom Notes Created
  MITRE ID: T1491.001 – Internal Defacement
  Detection identifies creation of ransom note files on victim endpoints, a hallmark of ransomware execution.
• Windows Account Created and Used
  MITRE ID: T1136.001 – Create Local Account
  Flags the creation and usage of unauthorized local accounts, often used for persistence and lateral movement.
• Service Stop
  MITRE ID: T1489 – Service Stop
  Captures attempts to stop critical services, such as antivirus or backup solutions, as part of pre-encryption sabotage.
• AnyDesk Installation Detected
  MITRE ID: T1219.002 – Remote Access Software
  Identifies the installation of AnyDesk, a remote tool often abused by actors like Interlock for initial access and persistence.
• AnyDesk Execution Detected
  MITRE ID: T1219.002 – Remote Access Software
  Alerts on execution or startup of AnyDesk, helping detect malicious remote access sessions early in the kill chain.

Summary

Preventing ransomware requires a combination of strong application controls, robust email security, and comprehensive user awareness training. Multi-factor authentication, regular patching, and restricted administrative privileges further minimize exposure. Adopting a Zero Trust security model adds a critical layer by ensuring that no user or device is trusted by default even within the network perimeter.

No prevention strategy is 100% effective, which is why SIEM platforms are essential. SIEMs play a vital role in detecting early signs of ransomware by correlating logs, analyzing behavioral patterns, and leveraging command-line auditing. Integrating command line auditing logs from tools like EDR or Sysmon significantly enhances SIEM visibility and improves detection accuracy across the environment.

MITRE Mappings

Tactic	Technique ID	Technique Name	Used By
Credential Access	T1003	OS Credential Dumping	Black Basta
Credential Access	T1056.001	Keylogging	Both
Discovery	T1016	System Network Configuration Discovery	Black Basta
Discovery	T1018	Remote System Discovery	Black Basta
Discovery	T1082	System Information Discovery	Both
Discovery	T1083	File and Directory Discovery	Black Basta
Discovery	T1087.002	Domain Account Discovery	Black Basta
Discovery	T1087	Account Discovery	Interlock
Discovery	T1047	Windows Management Instrumentation (WMI)	Black Basta
Lateral Movement	T1021.001	Remote Desktop Protocol (RDP)	Both
Lateral Movement	T1570	Lateral Tool Transfer	Black Basta
Execution	T1059.001	PowerShell	Both
Execution	T1204.002	Malicious File Execution	Black Basta
Execution	T1204	User Execution	Interlock
Persistence	T1543.003	Create/Modify System Process: Windows Service	Black Basta
Persistence	T1547.001	Registry Run Keys / Startup Folder	Both
Persistence	T1136	Create Account	Black Basta
Persistence	T1574.001	DLL Search Order Hijacking	Black Basta
Privilege Escalation	T1068	Exploitation for Privilege Escalation	Black Basta
Defense Evasion	T1036	Masquerading	Black Basta
Defense Evasion	T1070.004	File Deletion	Black Basta
Defense Evasion	T1112	Modify Registry	Both
Defense Evasion	T1140	Deobfuscate/Decode Files or Information	Black Basta
Defense Evasion	T1562.001	Disable or Modify Security Tools	Both
Defense Evasion	T1562.009	Safe Mode Boot	Black Basta
Defense Evasion	T1497	Virtualization/Sandbox Evasion	Black Basta
Defense Evasion	T1622	Debugger Evasion	Black Basta
Initial Access	T1190	Exploit Public-Facing Application	Both
Initial Access	T1566.001	Phishing: Email Attachment	Black Basta
Initial Access	T1566.004	Phishing: Voice	Black Basta
Collection	T1560.001	Archive via Utility	Both
Exfiltration	T1041	Exfiltration Over C2 Channel	Black Basta
Exfiltration	T1567	Exfiltration Over Web Services	Both
Command and Control	T1219	Remote Access Software	Both
Command and Control	T1572	Protocol Tunneling	Black Basta
Command and Control	T1573	Encrypted Channel	Both
Impact	T1486	Data Encrypted for Impact	Both
Impact	T1489	Service Stop	Black Basta
Impact	T1490	Inhibit System Recovery	Both
Impact	T1491	Defacement	Black Basta

References

https://www.trellix.com/blogs/research/analysis-of-black-basta-ransomware-chat-leaks/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a
https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-deploys-new-nodesnake-rat-on-universities/
https://blog.talosintelligence.com/emerging-interlock-ransomware/
https://ctid.mitre.org/projects/top-attack-techniques/
https://www.cisa.gov/stopransomware/ransomware-guide