Surge in Interlock Ransomware Attacks

Published Date: July 25, 2025

Category: ShadowOpsIntel

Interlock ransomware is a financially motivated group active since September 2024, targeting organizations in North America and Europe, including critical infrastructure. It uses a double extortion model, exfiltrating and encrypting data, then directing victims to a .onion site without upfront ransom demands. The group mainly targets virtual machines and cloud-based environments, uses advanced social engineering, PowerShell-based persistence, and supports cross-platform encryption on Windows, Linux, and FreeBSD.

Severity Level: High

Threat Details

Threat Actor: Financially motivated, opportunistic group
Targeted Sectors: Healthcare, Education, Manufacturing, Government, Public Sector, BFSI, Technology, Construction, Hospitality and Tourism
Regions Impacted: North America, Europe
Confirmed Campaigns (to date): around 56 claimed ransomware incidents
Delay between attack and claim: ~ 41 days
Peak Activity: March – July 2025
Initial access via:
- Drive-by downloads from compromised legitimate sites
- Fake browser or security software updates
- “ClickFix” technique tricking users into pasting malicious PowerShell via fake CAPTCHA
Ransom Note: !README!.txt, delivered via GPO, directs victim to .onion site (no upfront demand)
Encryption Details: 64-bit executables, .interlock/.1nt3rlock extensions, AES + RSA encryption
Latest Notable Victims: DaVita, Kettering Health, Anderson & Karrenberg, etc.

Malware & Tooling

COMPONENT	EXAMPLES
RATs & Payloads	Aisa.exe, Autostart.exe, conhost.dll, cleanup.dll (SystemBC)
Credential Tools	cht.exe, klg.dll, Lumma Stealer, Berserk Stealer
Remote Tools	AnyDesk.exe, putty.exe, ScreenConnect.ClientService.exe
Exfil Tools	StorageExplorer.exe, WinSCP-6.3.5-Setup.exe
Other	Fake security software like SophosendpointAgent.exe, FortiClient.exe used in decoy delivery

MITRE ATT&CK

Tactic	Technique	ID	Details
Initial Access	Drive-By Compromise	T1189	Compromised websites and fake software/security updates (e.g., FortiClient.exe, GlobalProtect.exe).
Execution	User Execution: Malicious Copy and Paste	T1204.004	ClickFix CAPTCHA trick uses clipboard-pasted PowerShell execution.
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	Drops files, modifies registry, and executes recon commands via PowerShell.
Persistence	Registry Run Keys / Startup Folder	T1547.001	RAT placed in Startup folder and registry key “Chrome Updater” for persistence.
Privilege Escalation	Valid Accounts: Domain Accounts	T1078.002	Domain admin accounts compromised to elevate privileges.
Defense Evasion	Defense Evasion (General)	TA0005	Linux: removeme function deletes encryptor binary.
	Masquerading: Match Legitimate Resource Name or Location	T1036.005	Files disguised as conhost.exe, conhost.txt, and fake “Chrome Updater”.
	System Binary Proxy Execution: Rundll32	T1218.011	use rundll32.exe to proxy execution of a malicious DLL binary tmp41.wasd
	Indicator Removal: File Deletion	T1070.004	tmp41.wasd deletes encryption binary to evade detection.
Credential Access	Credential Access (General)	TA0006	cht.exe, Lumma Stealer, and Berserk Stealer harvest credentials.
	Credentials from Password Stores: Web Browsers	T1555.003	Stealers grab browser login data and URLs.
	Input Capture	T1056	Info stealers like Lumma capture user input.
	Keylogging	T1056.001	klg.dll logs keystrokes in a file named conhost.txt
	Steal or Forge Kerberos Tickets: Kerberoasting	T1558.003	Used to escalate and compromise domain admin accounts.
Discovery	System Owner/User Discovery	T1033	WindowsIdentity.GetCurrent() to identify current user.
	System Information Discovery	T1082	systeminfo, Get-PSDrive gather OS and hardware details.
	System Service Discovery	T1007	tasklist /svc, Get-Service enumerate services.
	System Network Configuration Discovery	T1016	arp -a reveals network endpoints.
Lateral Movement	Valid Accounts	T1078	Stolen credentials used for lateral movement.
Lateral Movement	Remote Services: Remote Desktop Protocol	T1021.001	Used to access other systems with valid creds.
Collection	Data from Cloud Storage	T1530	Uses StorageExplorer.exe to navigate Azure Storage.
Command and Control	Command and Control (General)	TA0011	C2 via Cobalt Strike, SystemBC, and RATs.
	Ingress Tool Transfer	T1105	Payload delivery (e.g., cht.exe, klg.dll, RATs) via fake updates.
	Remote Access Software	T1219	AnyDesk and PuTTY used for control and movement.
Exfiltration	Exfiltration Over Web Service: Exfiltration to Cloud Storage	T1567.002	Data uploaded using AzCopy to Azure blob.
Exfiltration	Exfiltration Over Alternative Protocol	T1048	WinSCP used for exfiltration via non-standard protocols.
Impact	Data Encrypted for Impact	T1486	AES+RSA encryption on Windows, Linux, and FreeBSD systems.
Impact	Financial Theft	T1657	Actors use a double-extortion model, both encrypting victim data and threatening release of victim data on their Tor network leak site if the ransom is not paid.

Recommendations

Keep all operating systems, software, and firmware up to date; prioritize patching known exploited vulnerabilities in internet-facing systems.
Enforce MFA for all users, especially for VPN, RDP, and cloud services.
Train users to avoid clicking CAPTCHA-like prompts that instruct them to open Windows + R and paste clipboard data.
Use external sender banners and disable links in emails where possible.
Restrict RDP and SSH Access. Identify unauthorized use of tools like AnyDesk, ScreenConnect, PuTTY.
Disable unnecessary scripting and command-line execution tools.
Maintain offline, encrypted, immutable backups. Test and validate restore procedures regularly.
Block the IOCs at their respective controls https://www.virustotal.com/gui/collection/b0e70c0df4c835605642a407bd4d9565a74d7a800d934e5aeef7c42826fbaca2/iocs

Source:

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.