
Key Takeaways:
- Interlock ransomware actors have accelerated attacks on North American and European organizations since late 2023.
- Threat actors are leveraging social engineering tactics, remote access tools, and credential theft to deploy ransomware payloads.
- Infections are delivered via drive-by downloads and phishing lures disguised as software updates or CAPTCHA tests.
- The ransomware campaign uses a double extortion model—encrypting files while threatening to leak stolen data.
- Federal agencies urge organizations to implement MFA, restrict administrative privileges, and patch systems immediately.
A Growing and Sophisticated Threat
The FBI, CISA, HHS, and MS-ISAC issued a joint advisory on July 22, 2025, warning that Interlock ransomware is rapidly evolving into a significant threat to both public and private sector organizations across the United States and Europe. According to the advisory, incidents involving Interlock have intensified in recent months, particularly impacting critical infrastructure providers and healthcare entities.
The Interlock ransomware campaign is notable for its dual extortion strategy, creative infection methods, and tailored targeting. The threat group responsible for these attacks remains unidentified but they operate a leak site accessible via Tor where victims are pressured to pay ransoms or risk the public release of stolen data.
While ransomware threats are not new, the mechanics of this campaign reveal increasingly professional tactics and an aggressive operational tempo.
In Related News
This important government alert is not isolated- other important and recent news relating to cybersecurity includes the fact that nearly half of respondents say they have stopped buying after a company they work with has been hacked. The New York State Health Department issued an Urgent Cybersecurity alert just last week. A new law signed by Governor Kathy Hochul requires New York municipalities to adopt formal cybersecurity standards, including risk assessments, cybersecurity leadership, and mandatory reporting. Why workers in the US and UK hide attacks and how a managed cybersecurity strategy can keep companies secure.
Infection Vector: Weaponized Software Updates
One of the more concerning developments is Interlock's use of drive-by downloads—an infection method rarely seen in ransomware campaigns. These are deployed through compromised legitimate websites that trick users into executing malicious PowerShell scripts under the pretense of software updates or CAPTCHA verification. Lures such as "FileFix" and "ClickFix" mimic Chrome update prompts and encourage victims to run what appears to be a legitimate update file.
Once clicked, the script initiates background processes to establish persistence, steal credentials, and download the ransomware payload. According to CISA’s analysis, infections were detected as recently as June 2025, indicating the campaign is ongoing and active.
Persistence and Lateral Movement
Post-compromise, Interlock actors install remote access tools like Cobalt Strike, Node.js-based tools such as NodeSnake, and legitimate applications like AnyDesk and PuTTY. These tools are used for system reconnaissance, persistence, and lateral movement.
The malware maintains access by creating registry keys for persistence and utilizes living-off-the-land binaries (LOLBins) to blend in with legitimate processes. It also uses tools such as PsExec and WMI to spread within a network, enabling wide-scale infection before any ransomware payload is deployed.
In more advanced intrusions, actors have been observed leveraging Kerberoasting techniques to gain access to domain administrator credentials, significantly increasing the impact radius of the attack.
Credential Theft and Exfiltration
Credential theft is central to the Interlock attack chain. Threat actors use tools like klg.dll (a keylogger), Berserk Stealer, and a binary named cht.exe to extract credentials from browsers, operating systems, and network services.
Data exfiltration precedes encryption. Exfiltration is performed using AzCopy or Azure Storage Explorer—tools designed for legitimate cloud storage management. This phase is critical to the actors’ extortion strategy, as they threaten to release sensitive files on their data leak site if ransom demands are not met.
Encryption and Ransom Note Delivery
The actual ransomware payload is dropped under misleading filenames such as conhost.exe or removeme. Once executed, the malware encrypts files and appends .interlock or .1nt3rlock extensions to impacted data. Victims then receive a ransom note instructing them to visit a unique Tor-based .onion site using a contact ID.
Notably, some victims reported that the ransom notes were distributed across the network using Group Policy Objects (GPO), a method rarely seen but effective for organization-wide notification.
Target Profile
While the campaign has struck a range of targets, it has shown a particular focus on healthcare entities, managed service providers (MSPs), and municipal governments. CISA reports that even FreeBSD virtual machines have been infected in some cases, demonstrating the cross-platform capability of the malware.
The attacks appear opportunistic but deliberate, suggesting reconnaissance and victim profiling play a role before deployment. Victims often discover the breach only after encryption has completed, making containment and recovery more difficult.
Federal Recommendations
CISA and its partner agencies recommend immediate action by IT and security teams to limit the blast radius of potential Interlock attacks. These recommendations include:
- Enabling multi-factor authentication (MFA) across all services, particularly for administrative accounts.
- Restricting PowerShell usage through group policy or endpoint management tools.
- Removing unnecessary remote management tools such as AnyDesk, TeamViewer, and similar utilities.
- Regularly auditing Active Directory permissions and removing stale or unnecessary accounts.
- Implementing network segmentation to isolate critical systems from administrative endpoints.
- Conducting regular offline backups and validating backup integrity.
Implications for MSPs and Healthcare Providers
The campaign’s targeting of MSPs presents a significant supply chain risk. A single compromised MSP could serve as an entry point into dozens or even hundreds of downstream client environments. Likewise, healthcare organizations face regulatory and reputational risks when protected health information (PHI) is exposed.
The fact that attackers use commercial-grade penetration testing tools and cloud management utilities reflects their operational maturity. It also underscores the need for organizations of all sizes to treat ransomware not as a commodity threat, but as a potentially customized and devastating attack.
As always, disclosure and transparency will be key to containing fallout. Organizations are advised to report any suspicious activity to CISA or the FBI, even if ransomware deployment has not yet occurred.
Conclusion
Interlock ransomware represents a sophisticated and escalating threat that blends social engineering, credential theft, and operational stealth. The tactics used—drive-by infections, use of legitimate tools, and double extortion—highlight the continued evolution of ransomware actors. Organizations should assume that if one layer of their defenses fails, the attack could move quickly toward data exfiltration and encryption.
With an increasing number of attacks being reported in 2025, and with the advisory detailing infections as recently as June, federal agencies are urging all sectors to elevate their defensive posture and harden against these techniques.
Thanks to customers like you - Apex Technology Services has been named a Top 7 New York City MSP by TMC Catalyst Reports - we appreciate your 5-star reviews!