Unmasking the Nexus: Interlock, Rhysida, and the Shared Supper Backdoor

The ransomware landscape is a constantly shifting battleground, with new threats emerging and established groups evolving their tactics. However, recent intelligence has unveiled a more intricate connection between two prominent and highly active ransomware operations: Interlock and Rhysida. Far from being independent entities, new research indicates that these groups share a common and potent backdoor, dubbed “Supper,” and that their malicious toolsets likely originated from the same foundational codebase. This revelation drastically alters our understanding of their operational dynamics and underscores the importance of a unified defense strategy.

The Shared Lineage: Supper Backdoor and Malware Codebase

The core finding of this new research is the explicit link between Interlock (internally tracked as Hive0163) and Rhysida through the “Supper” backdoor. This is not simply a case of similar techniques; the shared backdoor suggests a direct connection, implying shared development resources, operational collaboration, or even a common origin point for their cybercriminal endeavors. Furthermore, the analysis points to a shared codebase for several of their respective malware tools. This indicates that while their public-facing operations might appear distinct, their underlying technical framework possesses significant overlap. Such a shared foundation can expedite their development cycles, enhance their offensive capabilities, and make them more resilient to individual takedowns.

The existence of a common codebase suggests various possibilities:

• Joint Development: The groups might be collaborating on the development of their tools and backdoors.
• Code Resale or Licensing: One group might be selling or licensing their developed tools to the other.
• Forked Projects: Both groups might have originated from a single, larger criminal entity that later splintered, with each carrying forward a version of the original toolkit.

Understanding Interlock and Rhysida Operations

Both Interlock and Rhysida have established themselves as significant threats. Interlock, also known as Hive0163, has been a persistent force in the ransomware arena, targeting organizations across various sectors. Rhysida, similarly, has gained notoriety for its aggressive tactics and double extortion schemes, often exfiltrating sensitive data before encryption to increase leverage over victims. The discovery of their shared technical infrastructure behind the scenes reveals a sophisticated operation that is more interconnected than previously perceived.

Their operational convergence through “Supper” implies a more efficient and potentially more dangerous threat. If they can leverage shared vulnerabilities or adapt their tools based on common intelligence, their collective impact could be significantly amplified. This shared resource allows for rapid iteration and deployment of new attack vectors, making it harder for organizations to predict and defend against their evolving threats.

Remediation Actions for a Unified Threat

Given the interconnected nature of these ransomware groups, a multi-faceted and proactive defense strategy is paramount. Organizations must assume a higher level of sophistication from these actors and implement robust security measures.

• Patch Management: Regularly update all operating systems, applications, and firmware to close known vulnerabilities. Many ransomware attacks exploit publicly known weaknesses. Always refer to vendor advisories and patch promptly.
• Strong Endpoint Protection: Deploy advanced endpoint detection and response (EDR) solutions capable of identifying and blocking malicious activities, including those associated with backdoors like Supper.
• Network Segmentation: Isolate critical systems and sensitive data from the rest of the network. This minimizes the lateral movement of ransomware once a perimeter has been breached.
• Multi-Factor Authentication (MFA): Implement MFA for all remote access, administrative accounts, and critical systems to prevent unauthorized access even if credentials are compromised.
• Regular Backups and Recovery Plans: Maintain offsite, immutable backups of all critical data and regularly test recovery procedures. This is the last line of defense against data loss.
• Security Awareness Training: Educate employees on phishing, social engineering, and other common attack vectors used to gain initial access. A strong human firewall is crucial.
• Threat Intelligence Integration: Subscribe to and actively utilize threat intelligence feeds that track ransomware groups like Interlock and Rhysida. This allows for proactive defense based on their known tactics, techniques, and procedures (TTPs).
• Incident Response Plan: Develop and regularly test a comprehensive incident response plan for ransomware attacks. Knowing how to react quickly and effectively can significantly mitigate damage.

Conclusion

The discovery of the shared “Supper” backdoor and malware codebase between Interlock and Rhysida ransomware operations is a critical piece of intelligence for the cybersecurity community. It highlights the growing sophistication and potential collaboration within the cybercriminal underworld. Organizations must recognize that threats often operate with hidden interconnections, requiring a comprehensive and adaptive defense strategy. By implementing robust preventative measures, maintaining vigilant monitoring, and preparing for rapid response, we can collectively strengthen our defenses against these intertwined and evolving ransomware threats.