#StopRansomware Outlines Defensive Tactics Against Interlock

The Interlock ransomware group, active since at least September 2024, continues to grow as a credible and evolving threat to organizations across North America and Europe, as reported by the FBI, CISA, HHS, and MS-ISAC. According to the agencies’ joint advisory, based on intelligence collected as of June 2025, Interlock is assessed to be "opportunistic and financially motivated in nature and employ tactics to infiltrate and disrupt the victim’s ability to provide their essential services," as stated by the authoring agencies. They target victims based on opportunity, without strict industry or geographic focus. CISA and its partner agencies note that Interlock actors deploy ransomware variants for both Windows and Linux environments and have been observed encrypting virtual machines (VMs). "The FBI maintains these actors target their victims based on opportunity, and their activity is financially motivated." The group uses a double extortion model—encrypting data and threatening to leak it—to pressure victims into payment. Open-source intelligence and agency findings also indicate tactical overlaps with another ransomware family, Rhysida, suggesting potential code-sharing or operational ties within the broader cybercriminal ecosystem.

Interlock’s tactics, techniques, and procedures (TTPs) begin with initial access typically obtained through drive-by downloads from compromised websites, delivering malware disguised as legitimate security software or browser updates, using filenames such as “FortiClient.exe,” “GlobalProtect.exe,” or “Cisco-Secure-Client.exe.” Another common method is a social engineering technique called ClickFix, and more recently a variant referred to as FileFix. The ClickFix method presents users with a fake CAPTCHA, instructing them to open the Windows Run dialog and paste a clipboard payload—a Base64-encoded PowerShell command that initiates the infection chain. This PowerShell script drops a file into the Windows Startup folder and adds further persistence through a registry run key named “Chrome Updater.” Interlock actors also employ “rundll32.exe” to execute malicious binaries such as "tmp41.wasd"—a technique that deviates from the tool’s intended DLL execution use.

After execution, Interlock actors carry out system reconnaissance using native and third-party tools. PowerShell commands like “systeminfo,” “tasklist,” “Get-Service,” “Get-PSDrive,” and “arp -a” are run to collect system and network information. External tools such as Advanced Port Scanner are also used to identify other reachable systems and services. This reconnaissance sets the stage for lateral movement and privilege escalation. Credential theft tools including “cht.exe” and keylogger binaries such as “klg.dll” are deployed, often alongside Lumma Stealer and Berserk Stealer. These tools extract stored browser credentials, saved login details, and keystrokes—typically saved in files like “conhost.txt”—to support credential harvesting and internal movement.

Interlock’s command-and-control infrastructure makes use of Cobalt Strike, SystemBC, Interlock RAT, and NodeSnake RAT for remote control and payload delivery. Supporting utilities such as PuTTY and AnyDesk allow for file transfers and interactive access, with ScreenConnect also observed in recent incidents. Lateral movement is carried out using Remote Desktop Protocol (RDP) with stolen credentials, PsExec, and remote access software. Once internal access is established, files are staged for exfiltration via Azure Storage Explorer, then transferred out using AzCopy or WinSCP. These steps are immediately followed by ransomware deployment.

The ransomware payloads deployed by Interlock actors affect both Windows and Linux systems, compiled in C/C++, with observed use of a FreeBSD ELF encryptor in some cases. Files are encrypted using AES and RSA, and affected data is renamed with extensions like “.interlock” or “.1nt3rlock.” The payload is frequently delivered as a binary named “conhost.exe” to blend in with legitimate processes. In at least one case, the encryption binary was deleted after execution using a DLL called by rundll32.exe, in an apparent effort to eliminate forensic evidence. Victims are issued a ransom note titled “!README!.txt” via Group Policy Object (GPO), which contains a unique identifier and directs them to contact the operators through a Tor-based .onion address. "Interlock actors do not leave an initial ransom demand or payment instructions on compromised networks, and do not relay this information until contacted by the victim," according to the agencies. This approach complicates incident response and delays negotiation, adding an additional layer of pressure on targeted organizations.