Ransomware’s Hidden Web: Unmasking the Interlock-Rhysida Shared Malware Arsenal and What It Means for Your Defense + Video

By /

Listen to this Post

Featured Image

Introduction:

The modern ransomware landscape has evolved beyond isolated criminal gangs into a complex, interconnected supply chain where malware, crypters, loaders, and even developers are shared across operations. Recent threat intelligence reveals significant overlaps between the Interlock and Rhysida ransomware ecosystems—suggesting that tracking only the final payload is no longer enough; defenders must hunt the shared infrastructure and pre-ransomware tooling that powers these attacks.

Learning Objectives:

  • Identify common malware families (NodeSnake, JunkFiction, Supper) and crypters used by both Interlock and Rhysida operations.
  • Implement threat hunting techniques to detect shared loaders and downloaders across enterprise endpoints and network logs.
  • Apply YARA rules and command-line forensics to uncover evidence of ransomware supply chain activity in Linux and Windows environments.

You Should Know:

  1. Mapping the Shared Malware Toolkit: NodeSnake, JunkFiction, and Supper Variants

Researchers observed strong overlaps between custom malware used by Interlock (NodeSnake, InterlockRAT, JunkFiction downloader, Supper/SocksShell) and Rhysida (Endico, Broomstick, Supper, Tomb crypter). The presence of shared codebases or common developers indicates that these groups may be sourcing from the same criminal supply chain. To hunt these artifacts, you need to know where they hide.

Step‑by‑step guide: Detecting Supper/SocksShell on Linux and Windows

  • Linux (find and analyze Supper backdoor):
    `sudo find / -1ame “supper” -o -1ame “socks” 2>/dev/null`
    Check running processes: `ps aux | grep -E “supper|socks”`
    Extract network connections: `netstat -tunap | grep ESTABLISHED` (look for unusual outbound shells).

  • Windows (PowerShell hunt for JunkFiction downloader artifacts):

`Get-Process | Where-Object {$_.ProcessName -match “junk|interlock”}`

Search recent files: `Get-ChildItem -Path C:\Users\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.Name -match “\.tmp$|\.dat$”}`
Check scheduled tasks: `schtasks /query /fo LIST /v | findstr /i “interlock rhysida”`

– YARA rule snippet for NodeSnake detection: 

rule NodeSnake_Indicator {
strings:
$a = "NodeSnake" ascii wide
$b = "InterlockRAT" ascii
$c = { 6E 6F 64 65 5F 73 6E 61 6B 65 } // "node_snake" hex
condition: any of them
}
  1. Understanding the Ransomware Supply Chain: From Access Brokers to Crypters

The post highlights that different actors share infrastructure, crypters, downloaders, and access relationships. Interlock’s links to TAG‑124 (Landupdate808, KongTuke) and Rhysida’s possible links to IceNova/Latrodectus operators illustrate a layered ecosystem. As a defender, you must map the pre‑ransomware phases.

Step‑by‑step guide: Tracing shared infrastructure using open source intelligence (OSINT)

  • DNS and IP correlation:
    `dig +short ` and `nslookup ` – check for overlapping A records.

Use `virustotal` CLI (if API key):

`vt domain | grep -E “resolutions|communicating”`

  • Passive DNS analysis (Linux):
    `curl -s “https://api.securitytrails.com/v1/domain//subdomains” -H “APIKEY: yourkey”` – look for subdomains associated with both Interlock and Rhysida.

  • Windows PowerShell threat intelligence lookup:
    `Invoke-RestMethod -Uri “https://otx.alienvault.com/api/v1/indicators/IPv4//general” | ConvertTo-Json` – identify if an IP is tied to known ransomware downloaders.

  1. Hunting the Crypter and Loader Chains: Tomb vs. JunkFiction

Rhysida uses the Tomb crypter (aka Textshell, pkr_mtsi), while Interlock uses JunkFiction crypter. Both serve to obfuscate the final ransomware payload. Detecting these crypters in memory or on disk can block the attack before encryption.

Step‑by‑step guide: Memory forensics for crypted payloads

  • Linux memory acquisition (LiME):

`sudo insmod ./lime.ko “path=/tmp/mem.lime format=lime”`

Then analyze with Volatility 3:

`python3 vol.py -f /tmp/mem.lime windows.pslist.PsList` – look for injected processes.

  • Windows real‑time detection using Sysmon (configure Event ID 7 for image loaded):

Enable Sysmon config with rule:

`

Crypter

`

Query events: `Get-WinEvent -FilterHashtable @{LogName=’Microsoft-Windows-Sysmon/Operational’; ID=7} | Where-Object {$_.Message -match “Tomb|JunkFiction”}`

  • Extracting crypter strings (Linux `strings` command):

`strings -1 8 suspicious.exe | grep -iE “pkr_mtsi|textshell|junkfiction”`

  1. Ransomware RaaS Model: How Rhysida Operates and How to Disrupt It

Rhysida has operated as a RaaS since May 2023, using affiliates who deploy Broomstick (Oyster/CleanUpLoader) and Endico downloader. Affiliates may reuse credentials and access from initial access brokers. Defenders can break the chain by isolating affiliate communication channels.

Step‑by‑step guide: Blocking RaaS affiliate tooling

  • Network egress filtering (Linux iptables):
    `sudo iptables -A OUTPUT -d -j DROP` (obtain IPs from IBM report).
    Block known Rhysida C2 ports (typically 443, 8080, 4443):
    `sudo iptables -A OUTPUT -p tcp –dport 4443 -j DROP`
  • Windows Firewall via PowerShell:
    `New-1etFirewallRule -DisplayName “Block Rhysida C2” -Direction Outbound -RemoteAddress 185.xxx.xxx.0/24 -Action Block`
    Block specific loaders: `Set-MpPreference -ExclusionProcess “”` – but instead, use Attack Surface Reduction rules:

`Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled`

5. Incident Response Playbook for Overlapped Ransomware Families

Given the shared tooling, an attack using InterlockRAT could later deploy Rhysida ransomware. IR teams must assume cross‑contamination.

Step‑by‑step guide: Unified containment

  • Isolate host (Linux): `sudo ip link set down`

Windows: `netsh interface set interface “Ethernet0” admin=disable`

  • Collect volatile artifacts (Linux):

`sudo tar -czf /tmp/forensics.tar.gz /var/log /etc/cron /home//.bash_history`

  • Windows using KAPE (Kroll Artifact Parser Extractor):
    `kape.exe –tsource C:\ –tdest D:\output –target !SANS_Triage –module !EZViewer`

  • Check for shared indicators:

  • Process names: NodeSnake.exe, InterlockRAT.dll, `Supper.svc`
    – Registry persistence (Windows):
    `reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /s | findstr /i “interlock rhysida”`

What Undercode Say:

  • Key Takeaway 1: Ransomware groups are not silos; Interlock and Rhysida share a common pool of malware developers and crypters, making attribution less important than hunting shared behavioral indicators.
  • Key Takeaway 2: Defenders must shift focus from the final ransomware payload to the pre‑ransomware ecosystem—loaders, backdoors, and access brokers—because these are the true points of resilience.

Analysis (10 lines): The IBM‑driven research confirms what seasoned CTI analysts have suspected: the ransomware economy operates like legitimate software supply chains. Interlock’s use of NodeSnake and Rhysida’s use of Supper variants with nearly identical code paths strongly suggest a shared developer group or a paid toolkit reused across brands. This means that a single mitigation (e.g., blocking JunkFiction crypter) can disrupt multiple ransomware operations simultaneously. However, the agility of these groups—constantly renaming and recompiling loaders—requires automated behavioral detection rather than static signatures. Organizations should prioritize endpoint detection that flags unusual process injection, dynamic API resolution, and outbound shell traffic. The overlapping infrastructure also implies that threat intel sharing across sectors could yield disproportionate defensive gains.

Expected Output:

Prediction:

  • -1: The shared toolkit model will accelerate ransomware evolution, allowing even low‑skill affiliates to deploy sophisticated payloads like Rhysida without developing their own malware, leading to a surge in attacks through 2026.
  • -1: As access brokers become more intertwined with ransomware groups (e.g., TAG‑124 supplying Interlock), the average dwell time will decrease, making manual IR almost impossible without automated SOAR playbooks.
  • +1: Detection of shared crypters and loaders through memory forensics and YARA rules will mature into commodity EDR features, forcing ransomware developers to invest in heavier obfuscation, which raises their operational costs.
  • -1: Smaller organizations that rely solely on signature‑based antivirus will face near‑certain compromise because the overlapping supply chain produces unique, polymorphic downloaders faster than signature updates.
  • +1: Threat hunting teams that adopt the “pre‑ransomware ecosystem” mindset will achieve higher mean time to detection (MTTD) improvements than those focusing on final payloads, as crypters and loaders are more predictable than encryption routines.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Flavioqueiroz Ransomware – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: