The US agencies CISA, FBI, HHS, and MS-ISAC have released a joint alert on Interlock ransomware attacks against critical infrastructure, businesses, and other organizations in North America and Europe.
Active since September 2024, Interlock is targeting both Windows and Linux systems with malware designed to encrypt virtual machines, and has been relying on drive-by downloads for the initial compromise.
Interlock’s operators, the US government agencies explain, are compromising legitimate websites and using the ClickFix social engineering technique to trick victims into executing malicious code on their systems. More recently, the hackers switched to FileFix attacks.
Previously, the ransomware group was relying on fake Google Chrome or Microsoft Edge browser updates for code deployment.
The hackers were seen deploying a RAT to drop a file in the Windows Startup folder and achieve persistence, but also executing PowerShell commands to modify Windows Registry keys for the same purpose.
After establishing remote control, the attackers ran PowerShell commands to deploy a credential stealer and a keylogger, and were also seen using information stealers such as Lumma Stealer and Berserk Stealer.
For lateral movement, the ransomware group uses compromised credentials and RDP tools, and deploy legitimate software such as AnyDesk and PuTTY. It also compromises domain administrator accounts to elevate privileges.
The hackers were also seen accessing the victims’ Microsoft Azure Storage accounts and exfiltrating data to the Azure storage blob, using various file transfer tools, including WinSCP. Then, they proceed to encrypting VMs.
“Interlock actors employ a double extortion model in which actors encrypt systems after exfiltrating data, which increases pressure on victims to pay the ransom to both get their data decrypted and prevent it from being leaked,” the joint alert reads.
The ransomware group’s ransom notes do not include ransom and payment details, but instruct victims to contact the attackers via a Tor-based website. After the victim contacts them, the hackers ask that a ransom be paid in Bitcoin, threatening to leak the stolen information.
“To date, Interlock actors have been observed encrypting VMs, leaving hosts, workstations, and physical servers unaffected; however, this does not mean they will not expand to these systems in the future,” the joint advisory reads.
Since its emergence in 2024, Interlock has claimed at least three high-profile intrusions, namely Texas Tech University, National Presto Industries, and Kettering Health.
Related: New Interlock RAT Variant Distributed via FileFix Attacks
Related: SonicWall SMA Appliances Targeted With New ‘Overstep’ Malware
Related: MITRE Unveils AADAPT Framework to Tackle Cryptocurrency Threats
Related: Inside the Verizon 2025 DBIR: Five Trends That Signal a Shift in the Cyber Threat Economy
