We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win64/InterLock.GVA!MTB
Aliases: No associated aliases
Summary
Trojan:Win64/InterLock.GVA!MTB is a 64-bit advanced ransomware variant from the InterLock family that uses complex infiltration methods, including social engineering, fileless operation and trusted access to cloud services. The malware does not appear to install itself on the device. It establishes unauthorized remote access to the device to steal data and encrypts the filesystem, while making threats of legal action with financial. It shows a pattern of blending into legitimate Windows processes to evade detection.
It is a multi-stage attack that starts with valid methods of access such as fake CAPTCHA prompts; drive-by downloads using hacked websites and impersonating browser or security software updates. The ransomware then starts its encryption procedures using PowerShell scripts, MSBuild abuse, and cloud storage access for payload delivery and data exfiltration. The most alarming behavior is the double extortion where data is stolen before it is encrypted. Trusted Windows processes are abused in a way to establish persistence and have a self-destruct function to prevent itself from being identified by security software.
- Disconnect infected devices from networks/internet to halt lateral movement and data exfiltration
- Check Task Manager for suspicious processes (e.g., pyinstaller.exe, ktool.exe). End tasks and delete associated files. If not possible, do so under Safe Mode.
- Restore files from offline backups. Avoid cloud backups until disinfection is complete.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
